Resubmissions

13-08-2021 10:16

210813-wpta271jdx 10

08-08-2021 23:00

210808-fgs5g9pxfs 10

07-08-2021 23:12

210807-g2jw1lmd4a 10

07-08-2021 16:10

210807-51nhct4kfx 10

06-08-2021 23:43

210806-gc2271nxwj 10

06-08-2021 06:00

210806-f443x39x8a 10

05-08-2021 17:08

210805-97y6banvvx 10

04-08-2021 17:25

210804-hkxx2ntr8x 10

04-08-2021 12:12

210804-rjbg4b4y7n 10

03-08-2021 17:12

210803-r2h7ytjwqj 10

Analysis

  • max time kernel
    65s
  • max time network
    163s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    19-07-2021 22:53

General

  • Target

    8 (14).exe

  • Size

    3.0MB

  • MD5

    bb072cad921aa5ce8b97706ce01bc570

  • SHA1

    18bf034906c1341b7817e7361ad27a4425d820bd

  • SHA256

    817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

  • SHA512

    d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

Malware Config

Extracted

Family

vidar

Version

39.6

Botnet

933

C2

https://sslamlssa1.tumblr.com/

Attributes
  • profile_id

    933

Extracted

Family

smokeloader

Version

2020

C2

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

sel16

C2

dwarimlari.xyz:80

Extracted

Family

redline

Botnet

sel17

C2

dwarimlari.xyz:80

Extracted

Family

redline

Botnet

oboze_new_serv

C2

86.106.181.209:18845

Extracted

Family

vidar

Version

39.6

Botnet

903

C2

https://sslamlssa1.tumblr.com/

Attributes
  • profile_id

    903

Extracted

Family

vidar

Version

39.6

Botnet

865

C2

https://sslamlssa1.tumblr.com/

Attributes
  • profile_id

    865

Extracted

Family

fickerstealer

C2

37.0.8.225:80

Signatures

  • Fickerstealer

    Ficker is an infostealer written in Rust and ASM.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
  • Process spawned unexpected child process 4 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 11 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • redlinestealer 9 IoCs

    RedlineStealer.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
  • Vidar Stealer 6 IoCs
  • ASPack v2.12-2.42 9 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Downloads MZ/PE file
  • Executes dropped EXE 39 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 10 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Accesses 2FA software files, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 8 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 7 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 14 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 4 IoCs
  • Kills process with taskkill 6 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Modifies registry class 15 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 62 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s UserManager
    1⤵
      PID:1376
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
      1⤵
        PID:2852
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s WpnService
        1⤵
          PID:2836
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s Browser
          1⤵
            PID:2756
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
            1⤵
              PID:2608
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
              1⤵
                PID:2576
              • C:\Users\Admin\AppData\Local\Temp\8 (14).exe
                "C:\Users\Admin\AppData\Local\Temp\8 (14).exe"
                1⤵
                • Suspicious use of WriteProcessMemory
                PID:636
                • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
                  2⤵
                  • Executes dropped EXE
                  • Suspicious use of WriteProcessMemory
                  PID:1860
                  • C:\Users\Admin\AppData\Local\Temp\7zS447043B4\setup_install.exe
                    "C:\Users\Admin\AppData\Local\Temp\7zS447043B4\setup_install.exe"
                    3⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Suspicious use of WriteProcessMemory
                    PID:3828
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c sonia_1.exe
                      4⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1564
                      • C:\Users\Admin\AppData\Local\Temp\7zS447043B4\sonia_1.exe
                        sonia_1.exe
                        5⤵
                        • Executes dropped EXE
                        • Suspicious use of WriteProcessMemory
                        PID:3156
                        • C:\Users\Admin\AppData\Local\Temp\7zS447043B4\sonia_1.exe
                          "C:\Users\Admin\AppData\Local\Temp\7zS447043B4\sonia_1.exe" -a
                          6⤵
                          • Executes dropped EXE
                          PID:192
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c sonia_4.exe
                      4⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2076
                      • C:\Users\Admin\AppData\Local\Temp\7zS447043B4\sonia_4.exe
                        sonia_4.exe
                        5⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3824
                        • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                          "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                          6⤵
                          • Executes dropped EXE
                          PID:3712
                          • C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
                            "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
                            7⤵
                            • Executes dropped EXE
                            PID:4972
                            • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                              C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                              8⤵
                                PID:3584
                              • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                8⤵
                                  PID:4452
                              • C:\Users\Admin\AppData\Local\Temp\OLKbrowser.exe
                                "C:\Users\Admin\AppData\Local\Temp\OLKbrowser.exe"
                                7⤵
                                  PID:720
                                  • C:\Users\Admin\AppData\Local\Temp\OLKbrowser.exe
                                    C:\Users\Admin\AppData\Local\Temp\OLKbrowser.exe
                                    8⤵
                                      PID:4996
                                  • C:\Users\Admin\AppData\Local\Temp\setup 326.exe
                                    "C:\Users\Admin\AppData\Local\Temp\setup 326.exe"
                                    7⤵
                                      PID:4752
                                      • C:\Windows\winnetdriv.exe
                                        "C:\Users\Admin\AppData\Local\Temp\setup 326.exe" 1626746344 0
                                        8⤵
                                        • Executes dropped EXE
                                        PID:4968
                                    • C:\Users\Admin\AppData\Local\Temp\setup.exe
                                      "C:\Users\Admin\AppData\Local\Temp\setup.exe"
                                      7⤵
                                        PID:4980
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 804
                                          8⤵
                                          • Program crash
                                          PID:5548
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 788
                                          8⤵
                                          • Program crash
                                          PID:5684
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 884
                                          8⤵
                                          • Program crash
                                          PID:5924
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 996
                                          8⤵
                                          • Program crash
                                          PID:3660
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1016
                                          8⤵
                                          • Program crash
                                          PID:720
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 980
                                          8⤵
                                          • Program crash
                                          PID:5580
                                      • C:\Users\Admin\AppData\Local\Temp\zhangd.exe
                                        "C:\Users\Admin\AppData\Local\Temp\zhangd.exe"
                                        7⤵
                                          PID:4192
                                          • C:\Users\Admin\AppData\Local\Temp\zhangd.exe
                                            "C:\Users\Admin\AppData\Local\Temp\zhangd.exe" -a
                                            8⤵
                                              PID:2280
                                          • C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe
                                            "C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"
                                            7⤵
                                              PID:5324
                                              • C:\Windows\system32\WerFault.exe
                                                C:\Windows\system32\WerFault.exe -u -p 5324 -s 1004
                                                8⤵
                                                • Program crash
                                                PID:4928
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c sonia_5.exe
                                        4⤵
                                        • Suspicious use of WriteProcessMemory
                                        PID:3164
                                        • C:\Users\Admin\AppData\Local\Temp\7zS447043B4\sonia_5.exe
                                          sonia_5.exe
                                          5⤵
                                          • Executes dropped EXE
                                          PID:2188
                                          • C:\Users\Admin\Documents\WeFKtZBAbShU0qidToFPopFo.exe
                                            "C:\Users\Admin\Documents\WeFKtZBAbShU0qidToFPopFo.exe"
                                            6⤵
                                            • Executes dropped EXE
                                            • Drops file in Program Files directory
                                            PID:4172
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\EverestSoftrade\TonerRecover\log.bat" "
                                              7⤵
                                                PID:4316
                                                • C:\Windows\SysWOW64\explorer.exe
                                                  explorer https://iplogger.org/2LBCU6
                                                  8⤵
                                                    PID:4308
                                                • C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe
                                                  "C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe"
                                                  7⤵
                                                  • Executes dropped EXE
                                                  PID:4540
                                                  • C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe
                                                    "C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe"
                                                    8⤵
                                                      PID:5848
                                                    • C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe
                                                      "C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe"
                                                      8⤵
                                                        PID:5796
                                                  • C:\Users\Admin\Documents\y11M7t3P6mvYlgCGmcuHwlZJ.exe
                                                    "C:\Users\Admin\Documents\y11M7t3P6mvYlgCGmcuHwlZJ.exe"
                                                    6⤵
                                                    • Executes dropped EXE
                                                    • Suspicious use of SetThreadContext
                                                    PID:4288
                                                    • C:\Users\Admin\Documents\y11M7t3P6mvYlgCGmcuHwlZJ.exe
                                                      C:\Users\Admin\Documents\y11M7t3P6mvYlgCGmcuHwlZJ.exe
                                                      7⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:4232
                                                  • C:\Users\Admin\Documents\Yt7UzJUyXFgR0AjXtTUVXmqc.exe
                                                    "C:\Users\Admin\Documents\Yt7UzJUyXFgR0AjXtTUVXmqc.exe"
                                                    6⤵
                                                    • Executes dropped EXE
                                                    • Suspicious use of SetThreadContext
                                                    PID:4380
                                                    • C:\Users\Admin\Documents\Yt7UzJUyXFgR0AjXtTUVXmqc.exe
                                                      C:\Users\Admin\Documents\Yt7UzJUyXFgR0AjXtTUVXmqc.exe
                                                      7⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:1400
                                                  • C:\Users\Admin\Documents\EVwQillsS1F2T54QNo5foDx2.exe
                                                    "C:\Users\Admin\Documents\EVwQillsS1F2T54QNo5foDx2.exe"
                                                    6⤵
                                                    • Executes dropped EXE
                                                    PID:4372
                                                    • C:\Users\Admin\Documents\EVwQillsS1F2T54QNo5foDx2.exe
                                                      C:\Users\Admin\Documents\EVwQillsS1F2T54QNo5foDx2.exe
                                                      7⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:4332
                                                  • C:\Users\Admin\Documents\1vM38VaifbApvtuRK4s8gquv.exe
                                                    "C:\Users\Admin\Documents\1vM38VaifbApvtuRK4s8gquv.exe"
                                                    6⤵
                                                    • Executes dropped EXE
                                                    PID:4476
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /c cmd < Sorrisi.tmp
                                                      7⤵
                                                        PID:4648
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          cmd
                                                          8⤵
                                                            PID:3192
                                                            • C:\Windows\SysWOW64\findstr.exe
                                                              findstr /V /R "^yNFefWPitqXbQXexaaaweTJMeyyzoIKOZcrabptodYbHejNKUaJtRjoktSZpRcZcdpbxUJWpgpLtcwKPaxnPYFWNhRgFpV$" Sapete.tmp
                                                              9⤵
                                                                PID:1824
                                                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
                                                                Acre.exe.com k
                                                                9⤵
                                                                  PID:3660
                                                                  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
                                                                    C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
                                                                    10⤵
                                                                      PID:4452
                                                                      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
                                                                        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
                                                                        11⤵
                                                                          PID:5244
                                                                          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
                                                                            C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
                                                                            12⤵
                                                                              PID:5404
                                                                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
                                                                                C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
                                                                                13⤵
                                                                                  PID:5516
                                                                                  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
                                                                                    C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
                                                                                    14⤵
                                                                                      PID:5756
                                                                                      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
                                                                                        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
                                                                                        15⤵
                                                                                          PID:6028
                                                                                          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
                                                                                            C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
                                                                                            16⤵
                                                                                              PID:5280
                                                                                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
                                                                                                C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
                                                                                                17⤵
                                                                                                  PID:5628
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
                                                                                                    C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
                                                                                                    18⤵
                                                                                                      PID:5156
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
                                                                                                        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
                                                                                                        19⤵
                                                                                                          PID:4212
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
                                                                                                            C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
                                                                                                            20⤵
                                                                                                              PID:4656
                                                                                      • C:\Windows\SysWOW64\PING.EXE
                                                                                        ping 127.0.0.1 -n 30
                                                                                        9⤵
                                                                                        • Runs ping.exe
                                                                                        PID:4720
                                                                                • C:\Users\Admin\Documents\yEfVx4ln9FOobZdxlDeJn2QO.exe
                                                                                  "C:\Users\Admin\Documents\yEfVx4ln9FOobZdxlDeJn2QO.exe"
                                                                                  6⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious use of SetThreadContext
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:4536
                                                                                  • C:\Users\Admin\Documents\yEfVx4ln9FOobZdxlDeJn2QO.exe
                                                                                    C:\Users\Admin\Documents\yEfVx4ln9FOobZdxlDeJn2QO.exe
                                                                                    7⤵
                                                                                    • Executes dropped EXE
                                                                                    PID:4368
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /c taskkill /im yEfVx4ln9FOobZdxlDeJn2QO.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\yEfVx4ln9FOobZdxlDeJn2QO.exe" & del C:\ProgramData\*.dll & exit
                                                                                      8⤵
                                                                                        PID:4624
                                                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                                                          taskkill /im yEfVx4ln9FOobZdxlDeJn2QO.exe /f
                                                                                          9⤵
                                                                                          • Kills process with taskkill
                                                                                          PID:4652
                                                                                        • C:\Windows\SysWOW64\timeout.exe
                                                                                          timeout /t 6
                                                                                          9⤵
                                                                                          • Delays execution with timeout.exe
                                                                                          PID:6040
                                                                                  • C:\Users\Admin\Documents\sHCfA5ARfAKuEqfONYg0Qxva.exe
                                                                                    "C:\Users\Admin\Documents\sHCfA5ARfAKuEqfONYg0Qxva.exe"
                                                                                    6⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:4816
                                                                                  • C:\Users\Admin\Documents\bAVMkqU4i5ujcPfzi9i014Ni.exe
                                                                                    "C:\Users\Admin\Documents\bAVMkqU4i5ujcPfzi9i014Ni.exe"
                                                                                    6⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious use of SetThreadContext
                                                                                    PID:4244
                                                                                    • C:\Users\Admin\Documents\bAVMkqU4i5ujcPfzi9i014Ni.exe
                                                                                      "C:\Users\Admin\Documents\bAVMkqU4i5ujcPfzi9i014Ni.exe"
                                                                                      7⤵
                                                                                      • Executes dropped EXE
                                                                                      PID:4436
                                                                                  • C:\Users\Admin\Documents\xynyAJDDCZ1elvvVowvecccb.exe
                                                                                    "C:\Users\Admin\Documents\xynyAJDDCZ1elvvVowvecccb.exe"
                                                                                    6⤵
                                                                                    • Executes dropped EXE
                                                                                    • Checks BIOS information in registry
                                                                                    • Checks whether UAC is enabled
                                                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:4456
                                                                                  • C:\Users\Admin\Documents\XAg5KbaxE_hbJncnR9p8Wfe0.exe
                                                                                    "C:\Users\Admin\Documents\XAg5KbaxE_hbJncnR9p8Wfe0.exe"
                                                                                    6⤵
                                                                                      PID:744
                                                                                      • C:\Users\Admin\Documents\XAg5KbaxE_hbJncnR9p8Wfe0.exe
                                                                                        C:\Users\Admin\Documents\XAg5KbaxE_hbJncnR9p8Wfe0.exe
                                                                                        7⤵
                                                                                          PID:4832
                                                                                        • C:\Users\Admin\Documents\XAg5KbaxE_hbJncnR9p8Wfe0.exe
                                                                                          C:\Users\Admin\Documents\XAg5KbaxE_hbJncnR9p8Wfe0.exe
                                                                                          7⤵
                                                                                            PID:2204
                                                                                        • C:\Users\Admin\Documents\0jDiwoLdFrJyVcSDNsP1IqaL.exe
                                                                                          "C:\Users\Admin\Documents\0jDiwoLdFrJyVcSDNsP1IqaL.exe"
                                                                                          6⤵
                                                                                          • Executes dropped EXE
                                                                                          • Checks BIOS information in registry
                                                                                          • Checks whether UAC is enabled
                                                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:908
                                                                                        • C:\Users\Admin\Documents\nFE3c8PnbLGuVA9C4eq1WN6W.exe
                                                                                          "C:\Users\Admin\Documents\nFE3c8PnbLGuVA9C4eq1WN6W.exe"
                                                                                          6⤵
                                                                                          • Executes dropped EXE
                                                                                          PID:1004
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /c taskkill /im nFE3c8PnbLGuVA9C4eq1WN6W.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\nFE3c8PnbLGuVA9C4eq1WN6W.exe" & del C:\ProgramData\*.dll & exit
                                                                                            7⤵
                                                                                              PID:380
                                                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                                                taskkill /im nFE3c8PnbLGuVA9C4eq1WN6W.exe /f
                                                                                                8⤵
                                                                                                • Kills process with taskkill
                                                                                                PID:5676
                                                                                              • C:\Windows\SysWOW64\timeout.exe
                                                                                                timeout /t 6
                                                                                                8⤵
                                                                                                • Delays execution with timeout.exe
                                                                                                PID:5916
                                                                                          • C:\Users\Admin\Documents\S7nWLFA9oD3ONmvLSuEamjCh.exe
                                                                                            "C:\Users\Admin\Documents\S7nWLFA9oD3ONmvLSuEamjCh.exe"
                                                                                            6⤵
                                                                                            • Executes dropped EXE
                                                                                            PID:5084
                                                                                            • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
                                                                                              7⤵
                                                                                                PID:2008
                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8D7C0785\setup_install.exe
                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zS8D7C0785\setup_install.exe"
                                                                                                  8⤵
                                                                                                    PID:5476
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      C:\Windows\system32\cmd.exe /c karotima_2.exe
                                                                                                      9⤵
                                                                                                        PID:5816
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS8D7C0785\karotima_2.exe
                                                                                                          karotima_2.exe
                                                                                                          10⤵
                                                                                                            PID:5896
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8D7C0785\karotima_2.exe
                                                                                                              "C:\Users\Admin\AppData\Local\Temp\7zS8D7C0785\karotima_2.exe" -a
                                                                                                              11⤵
                                                                                                                PID:5484
                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c karotima_1.exe
                                                                                                            9⤵
                                                                                                              PID:5804
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS8D7C0785\karotima_1.exe
                                                                                                                karotima_1.exe
                                                                                                                10⤵
                                                                                                                  PID:5888
                                                                                                                  • C:\Users\Admin\Documents\b7DNrigzczUAlvPZCG0f1PlL.exe
                                                                                                                    "C:\Users\Admin\Documents\b7DNrigzczUAlvPZCG0f1PlL.exe"
                                                                                                                    11⤵
                                                                                                                      PID:4212
                                                                                                                      • C:\Users\Admin\Documents\b7DNrigzczUAlvPZCG0f1PlL.exe
                                                                                                                        C:\Users\Admin\Documents\b7DNrigzczUAlvPZCG0f1PlL.exe
                                                                                                                        12⤵
                                                                                                                          PID:6480
                                                                                                                      • C:\Users\Admin\Documents\lBSp0Yembn4d855dfHaPGcgM.exe
                                                                                                                        "C:\Users\Admin\Documents\lBSp0Yembn4d855dfHaPGcgM.exe"
                                                                                                                        11⤵
                                                                                                                          PID:4040
                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                            "C:\Windows\System32\cmd.exe" /c cmd < Sorrisi.tmp
                                                                                                                            12⤵
                                                                                                                              PID:6632
                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                cmd
                                                                                                                                13⤵
                                                                                                                                  PID:6932
                                                                                                                                  • C:\Windows\SysWOW64\findstr.exe
                                                                                                                                    findstr /V /R "^yNFefWPitqXbQXexaaaweTJMeyyzoIKOZcrabptodYbHejNKUaJtRjoktSZpRcZcdpbxUJWpgpLtcwKPaxnPYFWNhRgFpV$" Sapete.tmp
                                                                                                                                    14⤵
                                                                                                                                      PID:7040
                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Acre.exe.com
                                                                                                                                      Acre.exe.com k
                                                                                                                                      14⤵
                                                                                                                                        PID:6348
                                                                                                                                      • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                        ping 127.0.0.1 -n 30
                                                                                                                                        14⤵
                                                                                                                                        • Runs ping.exe
                                                                                                                                        PID:6640
                                                                                                                                • C:\Users\Admin\Documents\csDzsc9HTYea393fLFGUTq8z.exe
                                                                                                                                  "C:\Users\Admin\Documents\csDzsc9HTYea393fLFGUTq8z.exe"
                                                                                                                                  11⤵
                                                                                                                                    PID:4372
                                                                                                                                    • C:\Users\Admin\Documents\csDzsc9HTYea393fLFGUTq8z.exe
                                                                                                                                      C:\Users\Admin\Documents\csDzsc9HTYea393fLFGUTq8z.exe
                                                                                                                                      12⤵
                                                                                                                                        PID:4464
                                                                                                                                    • C:\Users\Admin\Documents\UDAsmhuCXIioiYD_NaJEUmG5.exe
                                                                                                                                      "C:\Users\Admin\Documents\UDAsmhuCXIioiYD_NaJEUmG5.exe"
                                                                                                                                      11⤵
                                                                                                                                        PID:4808
                                                                                                                                        • C:\Users\Admin\Documents\UDAsmhuCXIioiYD_NaJEUmG5.exe
                                                                                                                                          C:\Users\Admin\Documents\UDAsmhuCXIioiYD_NaJEUmG5.exe
                                                                                                                                          12⤵
                                                                                                                                            PID:1292
                                                                                                                                          • C:\Users\Admin\Documents\UDAsmhuCXIioiYD_NaJEUmG5.exe
                                                                                                                                            C:\Users\Admin\Documents\UDAsmhuCXIioiYD_NaJEUmG5.exe
                                                                                                                                            12⤵
                                                                                                                                              PID:2188
                                                                                                                                          • C:\Users\Admin\Documents\IWC0yvkvxmfNZPfulA0cDgtB.exe
                                                                                                                                            "C:\Users\Admin\Documents\IWC0yvkvxmfNZPfulA0cDgtB.exe"
                                                                                                                                            11⤵
                                                                                                                                              PID:4044
                                                                                                                                              • C:\Users\Admin\Documents\IWC0yvkvxmfNZPfulA0cDgtB.exe
                                                                                                                                                C:\Users\Admin\Documents\IWC0yvkvxmfNZPfulA0cDgtB.exe
                                                                                                                                                12⤵
                                                                                                                                                  PID:5500
                                                                                                                                                • C:\Users\Admin\Documents\IWC0yvkvxmfNZPfulA0cDgtB.exe
                                                                                                                                                  C:\Users\Admin\Documents\IWC0yvkvxmfNZPfulA0cDgtB.exe
                                                                                                                                                  12⤵
                                                                                                                                                    PID:5416
                                                                                                                                                • C:\Users\Admin\Documents\FtGihnmDiiYMxxnbFNZWn417.exe
                                                                                                                                                  "C:\Users\Admin\Documents\FtGihnmDiiYMxxnbFNZWn417.exe"
                                                                                                                                                  11⤵
                                                                                                                                                    PID:4616
                                                                                                                                                    • C:\Users\Admin\Documents\FtGihnmDiiYMxxnbFNZWn417.exe
                                                                                                                                                      C:\Users\Admin\Documents\FtGihnmDiiYMxxnbFNZWn417.exe
                                                                                                                                                      12⤵
                                                                                                                                                        PID:6608
                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          "C:\Windows\System32\cmd.exe" /c taskkill /im FtGihnmDiiYMxxnbFNZWn417.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\FtGihnmDiiYMxxnbFNZWn417.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                          13⤵
                                                                                                                                                            PID:7196
                                                                                                                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                              taskkill /im FtGihnmDiiYMxxnbFNZWn417.exe /f
                                                                                                                                                              14⤵
                                                                                                                                                              • Kills process with taskkill
                                                                                                                                                              PID:7348
                                                                                                                                                      • C:\Users\Admin\Documents\aYcnj6r01ze6U4jwC_Q0XhS7.exe
                                                                                                                                                        "C:\Users\Admin\Documents\aYcnj6r01ze6U4jwC_Q0XhS7.exe"
                                                                                                                                                        11⤵
                                                                                                                                                          PID:5216
                                                                                                                                                        • C:\Users\Admin\Documents\Vx95FPHooptnHbqt6n0d43Rr.exe
                                                                                                                                                          "C:\Users\Admin\Documents\Vx95FPHooptnHbqt6n0d43Rr.exe"
                                                                                                                                                          11⤵
                                                                                                                                                            PID:4736
                                                                                                                                                          • C:\Users\Admin\Documents\_GTa1li8WvM4ELTAoLOXO4S4.exe
                                                                                                                                                            "C:\Users\Admin\Documents\_GTa1li8WvM4ELTAoLOXO4S4.exe"
                                                                                                                                                            11⤵
                                                                                                                                                              PID:5436
                                                                                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                12⤵
                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                PID:5032
                                                                                                                                                              • C:\Users\Admin\Documents\_GTa1li8WvM4ELTAoLOXO4S4.exe
                                                                                                                                                                C:\Users\Admin\Documents\_GTa1li8WvM4ELTAoLOXO4S4.exe
                                                                                                                                                                12⤵
                                                                                                                                                                  PID:5748
                                                                                                                                                              • C:\Users\Admin\Documents\r4iew5YuyWJvmS9_5K7FRQlN.exe
                                                                                                                                                                "C:\Users\Admin\Documents\r4iew5YuyWJvmS9_5K7FRQlN.exe"
                                                                                                                                                                11⤵
                                                                                                                                                                  PID:500
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                    12⤵
                                                                                                                                                                      PID:6556
                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                      12⤵
                                                                                                                                                                        PID:904
                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                        12⤵
                                                                                                                                                                          PID:6704
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                          12⤵
                                                                                                                                                                            PID:7476
                                                                                                                                                                        • C:\Users\Admin\Documents\efgwllFFyQZu1xbZ0jkAh84b.exe
                                                                                                                                                                          "C:\Users\Admin\Documents\efgwllFFyQZu1xbZ0jkAh84b.exe"
                                                                                                                                                                          11⤵
                                                                                                                                                                            PID:5144
                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\6392269.exe
                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\6392269.exe"
                                                                                                                                                                              12⤵
                                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                                              PID:4372
                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\2963966.exe
                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\2963966.exe"
                                                                                                                                                                              12⤵
                                                                                                                                                                                PID:6356
                                                                                                                                                                            • C:\Users\Admin\Documents\qcvMFMa4LlHVa9ffUd2GAkQq.exe
                                                                                                                                                                              "C:\Users\Admin\Documents\qcvMFMa4LlHVa9ffUd2GAkQq.exe"
                                                                                                                                                                              11⤵
                                                                                                                                                                                PID:4664
                                                                                                                                                                              • C:\Users\Admin\Documents\aivCV11lNAtwGCWPOId2q_2V.exe
                                                                                                                                                                                "C:\Users\Admin\Documents\aivCV11lNAtwGCWPOId2q_2V.exe"
                                                                                                                                                                                11⤵
                                                                                                                                                                                  PID:5676
                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /c taskkill /im aivCV11lNAtwGCWPOId2q_2V.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\aivCV11lNAtwGCWPOId2q_2V.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                                                    12⤵
                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                    PID:5032
                                                                                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                      taskkill /im aivCV11lNAtwGCWPOId2q_2V.exe /f
                                                                                                                                                                                      13⤵
                                                                                                                                                                                      • Kills process with taskkill
                                                                                                                                                                                      PID:6712
                                                                                                                                                                                    • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                      timeout /t 6
                                                                                                                                                                                      13⤵
                                                                                                                                                                                      • Delays execution with timeout.exe
                                                                                                                                                                                      PID:7732
                                                                                                                                                                                • C:\Users\Admin\Documents\c5BzAfsa7AFGKm8re4gR7JLw.exe
                                                                                                                                                                                  "C:\Users\Admin\Documents\c5BzAfsa7AFGKm8re4gR7JLw.exe"
                                                                                                                                                                                  11⤵
                                                                                                                                                                                    PID:4652
                                                                                                                                                                                  • C:\Users\Admin\Documents\MmIsXsSFIZmlMh0LjGaNjalA.exe
                                                                                                                                                                                    "C:\Users\Admin\Documents\MmIsXsSFIZmlMh0LjGaNjalA.exe"
                                                                                                                                                                                    11⤵
                                                                                                                                                                                      PID:5904
                                                                                                                                                                                      • C:\Users\Admin\Documents\MmIsXsSFIZmlMh0LjGaNjalA.exe
                                                                                                                                                                                        "C:\Users\Admin\Documents\MmIsXsSFIZmlMh0LjGaNjalA.exe" -a
                                                                                                                                                                                        12⤵
                                                                                                                                                                                          PID:6464
                                                                                                                                                                                      • C:\Users\Admin\Documents\NU5eCOaBAGRqDnq2kxN_sWkR.exe
                                                                                                                                                                                        "C:\Users\Admin\Documents\NU5eCOaBAGRqDnq2kxN_sWkR.exe"
                                                                                                                                                                                        11⤵
                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                        PID:744
                                                                                                                                                                                      • C:\Users\Admin\Documents\1stGA8XfY6vLFUuSFD50gB4T.exe
                                                                                                                                                                                        "C:\Users\Admin\Documents\1stGA8XfY6vLFUuSFD50gB4T.exe"
                                                                                                                                                                                        11⤵
                                                                                                                                                                                          PID:1012
                                                                                                                                                                                          • C:\Users\Admin\Documents\1stGA8XfY6vLFUuSFD50gB4T.exe
                                                                                                                                                                                            "C:\Users\Admin\Documents\1stGA8XfY6vLFUuSFD50gB4T.exe"
                                                                                                                                                                                            12⤵
                                                                                                                                                                                              PID:6872
                                                                                                                                                                                          • C:\Users\Admin\Documents\7gac_Nfj4vmNRkVfMJq1Fw8C.exe
                                                                                                                                                                                            "C:\Users\Admin\Documents\7gac_Nfj4vmNRkVfMJq1Fw8C.exe"
                                                                                                                                                                                            11⤵
                                                                                                                                                                                              PID:6172
                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
                                                                                                                                                                                                12⤵
                                                                                                                                                                                                  PID:5864
                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS8E6FBE66\setup_install.exe
                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\7zS8E6FBE66\setup_install.exe"
                                                                                                                                                                                                    13⤵
                                                                                                                                                                                                      PID:6236
                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c karotima_2.exe
                                                                                                                                                                                                        14⤵
                                                                                                                                                                                                          PID:6576
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS8E6FBE66\karotima_2.exe
                                                                                                                                                                                                            karotima_2.exe
                                                                                                                                                                                                            15⤵
                                                                                                                                                                                                              PID:6692
                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS8E6FBE66\karotima_2.exe
                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\7zS8E6FBE66\karotima_2.exe" -a
                                                                                                                                                                                                                16⤵
                                                                                                                                                                                                                  PID:6592
                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c karotima_1.exe
                                                                                                                                                                                                              14⤵
                                                                                                                                                                                                                PID:6272
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8E6FBE66\karotima_1.exe
                                                                                                                                                                                                                  karotima_1.exe
                                                                                                                                                                                                                  15⤵
                                                                                                                                                                                                                    PID:4712
                                                                                                                                                                                                                    • C:\Users\Admin\Documents\HQqXa0_GiONZ35D6xuO3iyCC.exe
                                                                                                                                                                                                                      "C:\Users\Admin\Documents\HQqXa0_GiONZ35D6xuO3iyCC.exe"
                                                                                                                                                                                                                      16⤵
                                                                                                                                                                                                                        PID:6772
                                                                                                                                                                                                                        • C:\Users\Admin\Documents\HQqXa0_GiONZ35D6xuO3iyCC.exe
                                                                                                                                                                                                                          C:\Users\Admin\Documents\HQqXa0_GiONZ35D6xuO3iyCC.exe
                                                                                                                                                                                                                          17⤵
                                                                                                                                                                                                                            PID:7816
                                                                                                                                                                                                                          • C:\Users\Admin\Documents\HQqXa0_GiONZ35D6xuO3iyCC.exe
                                                                                                                                                                                                                            C:\Users\Admin\Documents\HQqXa0_GiONZ35D6xuO3iyCC.exe
                                                                                                                                                                                                                            17⤵
                                                                                                                                                                                                                              PID:8100
                                                                                                                                                                                                                          • C:\Users\Admin\Documents\9XltUORyGeoC9dRqed_y9KPs.exe
                                                                                                                                                                                                                            "C:\Users\Admin\Documents\9XltUORyGeoC9dRqed_y9KPs.exe"
                                                                                                                                                                                                                            16⤵
                                                                                                                                                                                                                              PID:6576
                                                                                                                                                                                                                              • C:\Users\Admin\Documents\9XltUORyGeoC9dRqed_y9KPs.exe
                                                                                                                                                                                                                                C:\Users\Admin\Documents\9XltUORyGeoC9dRqed_y9KPs.exe
                                                                                                                                                                                                                                17⤵
                                                                                                                                                                                                                                  PID:7864
                                                                                                                                                                                                                              • C:\Users\Admin\Documents\CVEEEQ0ecMZfiCRUmok3eyK0.exe
                                                                                                                                                                                                                                "C:\Users\Admin\Documents\CVEEEQ0ecMZfiCRUmok3eyK0.exe"
                                                                                                                                                                                                                                16⤵
                                                                                                                                                                                                                                  PID:3508
                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\CVEEEQ0ecMZfiCRUmok3eyK0.exe
                                                                                                                                                                                                                                    C:\Users\Admin\Documents\CVEEEQ0ecMZfiCRUmok3eyK0.exe
                                                                                                                                                                                                                                    17⤵
                                                                                                                                                                                                                                      PID:7764
                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\p20DkfeAiz9WVLUikiojr5W5.exe
                                                                                                                                                                                                                                    "C:\Users\Admin\Documents\p20DkfeAiz9WVLUikiojr5W5.exe"
                                                                                                                                                                                                                                    16⤵
                                                                                                                                                                                                                                      PID:5232
                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\2r7ftlHlxEWdbPFGnIzKLuSn.exe
                                                                                                                                                                                                                                      "C:\Users\Admin\Documents\2r7ftlHlxEWdbPFGnIzKLuSn.exe"
                                                                                                                                                                                                                                      16⤵
                                                                                                                                                                                                                                        PID:5500
                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\2r7ftlHlxEWdbPFGnIzKLuSn.exe
                                                                                                                                                                                                                                          C:\Users\Admin\Documents\2r7ftlHlxEWdbPFGnIzKLuSn.exe
                                                                                                                                                                                                                                          17⤵
                                                                                                                                                                                                                                            PID:7844
                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\F0efoLthWrUZIKmxoC7WNklu.exe
                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\F0efoLthWrUZIKmxoC7WNklu.exe"
                                                                                                                                                                                                                                          16⤵
                                                                                                                                                                                                                                            PID:5560
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /c cmd < Sorrisi.tmp
                                                                                                                                                                                                                                              17⤵
                                                                                                                                                                                                                                                PID:7712
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                  cmd
                                                                                                                                                                                                                                                  18⤵
                                                                                                                                                                                                                                                    PID:7228
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\findstr.exe
                                                                                                                                                                                                                                                      findstr /V /R "^yNFefWPitqXbQXexaaaweTJMeyyzoIKOZcrabptodYbHejNKUaJtRjoktSZpRcZcdpbxUJWpgpLtcwKPaxnPYFWNhRgFpV$" Sapete.tmp
                                                                                                                                                                                                                                                      19⤵
                                                                                                                                                                                                                                                        PID:6196
                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\pXXTxDctmr5kdjzrePX7KCXs.exe
                                                                                                                                                                                                                                                  "C:\Users\Admin\Documents\pXXTxDctmr5kdjzrePX7KCXs.exe"
                                                                                                                                                                                                                                                  16⤵
                                                                                                                                                                                                                                                    PID:6176
                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\pXXTxDctmr5kdjzrePX7KCXs.exe
                                                                                                                                                                                                                                                      C:\Users\Admin\Documents\pXXTxDctmr5kdjzrePX7KCXs.exe
                                                                                                                                                                                                                                                      17⤵
                                                                                                                                                                                                                                                        PID:7668
                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\pXXTxDctmr5kdjzrePX7KCXs.exe
                                                                                                                                                                                                                                                        C:\Users\Admin\Documents\pXXTxDctmr5kdjzrePX7KCXs.exe
                                                                                                                                                                                                                                                        17⤵
                                                                                                                                                                                                                                                          PID:7272
                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\whM3UdbvCccRXUzArwrgBSQs.exe
                                                                                                                                                                                                                                                        "C:\Users\Admin\Documents\whM3UdbvCccRXUzArwrgBSQs.exe"
                                                                                                                                                                                                                                                        16⤵
                                                                                                                                                                                                                                                          PID:7108
                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                            17⤵
                                                                                                                                                                                                                                                              PID:7544
                                                                                                                                                                                                                                                          • C:\Users\Admin\Documents\aJAgy7wbm9lzZT1YOZZak8H8.exe
                                                                                                                                                                                                                                                            "C:\Users\Admin\Documents\aJAgy7wbm9lzZT1YOZZak8H8.exe"
                                                                                                                                                                                                                                                            16⤵
                                                                                                                                                                                                                                                              PID:2292
                                                                                                                                                                                                                                                              • C:\Users\Admin\Documents\aJAgy7wbm9lzZT1YOZZak8H8.exe
                                                                                                                                                                                                                                                                "C:\Users\Admin\Documents\aJAgy7wbm9lzZT1YOZZak8H8.exe"
                                                                                                                                                                                                                                                                17⤵
                                                                                                                                                                                                                                                                  PID:7336
                                                                                                                                                                                                                                                              • C:\Users\Admin\Documents\kpB21S_eSrh7jZgchKyt3h5M.exe
                                                                                                                                                                                                                                                                "C:\Users\Admin\Documents\kpB21S_eSrh7jZgchKyt3h5M.exe"
                                                                                                                                                                                                                                                                16⤵
                                                                                                                                                                                                                                                                  PID:4548
                                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\g7v_ciNoM5CkRglai3xcbZ65.exe
                                                                                                                                                                                                                                                                  "C:\Users\Admin\Documents\g7v_ciNoM5CkRglai3xcbZ65.exe"
                                                                                                                                                                                                                                                                  16⤵
                                                                                                                                                                                                                                                                    PID:628
                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\4249900.exe
                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\4249900.exe"
                                                                                                                                                                                                                                                                      17⤵
                                                                                                                                                                                                                                                                        PID:3276
                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\5061531.exe
                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\5061531.exe"
                                                                                                                                                                                                                                                                        17⤵
                                                                                                                                                                                                                                                                          PID:7472
                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\fWBHqKNuvLyDbW7OCUhJFsOz.exe
                                                                                                                                                                                                                                                                        "C:\Users\Admin\Documents\fWBHqKNuvLyDbW7OCUhJFsOz.exe"
                                                                                                                                                                                                                                                                        16⤵
                                                                                                                                                                                                                                                                          PID:7016
                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\SjeHDVCxzwN6Rp_Dlzj30lAH.exe
                                                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\SjeHDVCxzwN6Rp_Dlzj30lAH.exe"
                                                                                                                                                                                                                                                                          16⤵
                                                                                                                                                                                                                                                                            PID:4188
                                                                                                                                                                                                                                                                          • C:\Users\Admin\Documents\ViiOtjL75UUnlQXn2VjKdu7Y.exe
                                                                                                                                                                                                                                                                            "C:\Users\Admin\Documents\ViiOtjL75UUnlQXn2VjKdu7Y.exe"
                                                                                                                                                                                                                                                                            16⤵
                                                                                                                                                                                                                                                                              PID:5636
                                                                                                                                                                                                                                                                              • C:\Users\Admin\Documents\ViiOtjL75UUnlQXn2VjKdu7Y.exe
                                                                                                                                                                                                                                                                                C:\Users\Admin\Documents\ViiOtjL75UUnlQXn2VjKdu7Y.exe
                                                                                                                                                                                                                                                                                17⤵
                                                                                                                                                                                                                                                                                  PID:7024
                                                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\ViiOtjL75UUnlQXn2VjKdu7Y.exe
                                                                                                                                                                                                                                                                                  C:\Users\Admin\Documents\ViiOtjL75UUnlQXn2VjKdu7Y.exe
                                                                                                                                                                                                                                                                                  17⤵
                                                                                                                                                                                                                                                                                    PID:5528
                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\ViiOtjL75UUnlQXn2VjKdu7Y.exe
                                                                                                                                                                                                                                                                                    C:\Users\Admin\Documents\ViiOtjL75UUnlQXn2VjKdu7Y.exe
                                                                                                                                                                                                                                                                                    17⤵
                                                                                                                                                                                                                                                                                      PID:6016
                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\Vk2BsYZxNI9oITqhhnZoWz7A.exe
                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Documents\Vk2BsYZxNI9oITqhhnZoWz7A.exe"
                                                                                                                                                                                                                                                                                    16⤵
                                                                                                                                                                                                                                                                                      PID:7372
                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\EM2I1OILtgmjVcBlburzoIXs.exe
                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Documents\EM2I1OILtgmjVcBlburzoIXs.exe"
                                                                                                                                                                                                                                                                                      16⤵
                                                                                                                                                                                                                                                                                        PID:7252
                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\Fam19bW30SEJJtvyEl8DT1qN.exe
                                                                                                                                                                                                                                                                                        "C:\Users\Admin\Documents\Fam19bW30SEJJtvyEl8DT1qN.exe"
                                                                                                                                                                                                                                                                                        16⤵
                                                                                                                                                                                                                                                                                          PID:7484
                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\VUh7QklvnHWnaIf63acTTTt6.exe
                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\VUh7QklvnHWnaIf63acTTTt6.exe"
                                                                                                                                                                                                                                                                                          16⤵
                                                                                                                                                                                                                                                                                            PID:7552
                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Documents\3A0A_fM7nKHjyP6CWjRGtgs6.exe
                                                                                                                                                                                                                                                                                            "C:\Users\Admin\Documents\3A0A_fM7nKHjyP6CWjRGtgs6.exe"
                                                                                                                                                                                                                                                                                            16⤵
                                                                                                                                                                                                                                                                                              PID:7592
                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
                                                                                                                                                                                                                                                                                                17⤵
                                                                                                                                                                                                                                                                                                  PID:7996
                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zSC3FD0F96\setup_install.exe
                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\7zSC3FD0F96\setup_install.exe"
                                                                                                                                                                                                                                                                                                    18⤵
                                                                                                                                                                                                                                                                                                      PID:6188
                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c karotima_2.exe
                                                                                                                                                                                                                                                                                                        19⤵
                                                                                                                                                                                                                                                                                                          PID:4572
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSC3FD0F96\karotima_2.exe
                                                                                                                                                                                                                                                                                                            karotima_2.exe
                                                                                                                                                                                                                                                                                                            20⤵
                                                                                                                                                                                                                                                                                                              PID:4108
                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c karotima_1.exe
                                                                                                                                                                                                                                                                                                            19⤵
                                                                                                                                                                                                                                                                                                              PID:8024
                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zSC3FD0F96\karotima_1.exe
                                                                                                                                                                                                                                                                                                                karotima_1.exe
                                                                                                                                                                                                                                                                                                                20⤵
                                                                                                                                                                                                                                                                                                                  PID:7272
                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\WMX3LblEoQJKCmO6NMAHGR2N.exe
                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\WMX3LblEoQJKCmO6NMAHGR2N.exe"
                                                                                                                                                                                                                                                                                                          16⤵
                                                                                                                                                                                                                                                                                                            PID:7812
                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\WMX3LblEoQJKCmO6NMAHGR2N.exe
                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Documents\WMX3LblEoQJKCmO6NMAHGR2N.exe" -a
                                                                                                                                                                                                                                                                                                              17⤵
                                                                                                                                                                                                                                                                                                                PID:8160
                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\aHWtDFB4jQ64Nrff95ACENHi.exe
                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Documents\aHWtDFB4jQ64Nrff95ACENHi.exe"
                                                                                                                                                                                                                                                                                                    11⤵
                                                                                                                                                                                                                                                                                                      PID:5252
                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\QdhFWBC3lfKodT4Ie9paWKww.exe
                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Documents\QdhFWBC3lfKodT4Ie9paWKww.exe"
                                                                                                                                                                                                                                                                                                      11⤵
                                                                                                                                                                                                                                                                                                        PID:6192
                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\HZZ1IaGQMGLWKS0jgrfvUb6V.exe
                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Documents\HZZ1IaGQMGLWKS0jgrfvUb6V.exe"
                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                              PID:5056
                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\omFKp9PGjzpkxdxHRoTFFfUx.exe
                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Documents\omFKp9PGjzpkxdxHRoTFFfUx.exe"
                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                PID:5032
                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\omFKp9PGjzpkxdxHRoTFFfUx.exe
                                                                                                                                                                                                                                                                                                  C:\Users\Admin\Documents\omFKp9PGjzpkxdxHRoTFFfUx.exe
                                                                                                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                                                                                                    PID:4968
                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 24
                                                                                                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                                                                                                                      PID:4656
                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\wwRsulrENBdsCGynuYuA1oaR.exe
                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Documents\wwRsulrENBdsCGynuYuA1oaR.exe"
                                                                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                  PID:4960
                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                                                                                                      PID:5364
                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                                                                                        PID:5984
                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                                                                                                          PID:5924
                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                                                                                                                            PID:4640
                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\hfo5AFgEOXu4DSUwMYsZJ1Hf.exe
                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\hfo5AFgEOXu4DSUwMYsZJ1Hf.exe"
                                                                                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                          PID:4216
                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 660
                                                                                                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                                                                                                            • Program crash
                                                                                                                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                            PID:1068
                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 648
                                                                                                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                                                                                                            • Program crash
                                                                                                                                                                                                                                                                                                            PID:3156
                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 684
                                                                                                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                                                                                                            • Program crash
                                                                                                                                                                                                                                                                                                            PID:628
                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 708
                                                                                                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                                                                                                            • Program crash
                                                                                                                                                                                                                                                                                                            PID:4324
                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 1092
                                                                                                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                                                                                                            • Program crash
                                                                                                                                                                                                                                                                                                            PID:1568
                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\Yj8DAKUQDhuzB7fAv39Zoqxt.exe
                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\Yj8DAKUQDhuzB7fAv39Zoqxt.exe"
                                                                                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                          PID:4696
                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\clYB_tEZ7GUtzAX9MSGvpJap.exe
                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\clYB_tEZ7GUtzAX9MSGvpJap.exe"
                                                                                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                          PID:2236
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Documents\clYB_tEZ7GUtzAX9MSGvpJap.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\Documents\clYB_tEZ7GUtzAX9MSGvpJap.exe" -a
                                                                                                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                                                                                                              PID:744
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Documents\W5zODojbgSofNi7I2idPOhdk.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\Documents\W5zODojbgSofNi7I2idPOhdk.exe"
                                                                                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                                                                                              PID:4844
                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\6336675.exe
                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\6336675.exe"
                                                                                                                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                                                                                                                  PID:5368
                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\4417645.exe
                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\4417645.exe"
                                                                                                                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                                                                                                                    PID:5364
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c sonia_6.exe
                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                              • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                                                                                              PID:3460
                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS447043B4\sonia_6.exe
                                                                                                                                                                                                                                                                                                                sonia_6.exe
                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                                                                                                PID:2376
                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                  PID:3984
                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                  PID:4396
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c sonia_7.exe
                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                PID:1520
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c sonia_3.exe
                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                                                                                                PID:3272
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c sonia_2.exe
                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                                                                                                PID:744
                                                                                                                                                                                                                                                                                                        • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                          c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                            PID:1908
                                                                                                                                                                                                                                                                                                          • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                            c:\windows\system32\svchost.exe -k netsvcs -s SENS
                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                              PID:1428
                                                                                                                                                                                                                                                                                                            • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                              c:\windows\system32\svchost.exe -k netsvcs -s Themes
                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                PID:1180
                                                                                                                                                                                                                                                                                                              • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                  PID:1096
                                                                                                                                                                                                                                                                                                                • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                  c:\windows\system32\svchost.exe -k netsvcs -s Schedule
                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                  PID:68
                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\iawtjdt
                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Roaming\iawtjdt
                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                      PID:7284
                                                                                                                                                                                                                                                                                                                  • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                    c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                      PID:340
                                                                                                                                                                                                                                                                                                                    • \??\c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                      c:\windows\system32\svchost.exe -k netsvcs -s BITS
                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                      • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                                                                                                      PID:1204
                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                        • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                        • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                                                                                        PID:1356
                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS447043B4\sonia_3.exe
                                                                                                                                                                                                                                                                                                                      sonia_3.exe
                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                      • Modifies system certificate store
                                                                                                                                                                                                                                                                                                                      PID:3948
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /c taskkill /im sonia_3.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS447043B4\sonia_3.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                          PID:4664
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                            taskkill /im sonia_3.exe /f
                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                            • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                            PID:5392
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                                                                                                                                            timeout /t 6
                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                            • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                                                            PID:3912
                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS447043B4\sonia_2.exe
                                                                                                                                                                                                                                                                                                                        sonia_2.exe
                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                        • Checks SCSI registry key(s)
                                                                                                                                                                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                        • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                                                                                        PID:3808
                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                                                                                                                                                                                                                        rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                        • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                                                                                                        PID:1664
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                          rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                          • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                                                                                                          PID:2604
                                                                                                                                                                                                                                                                                                                      • C:\Windows\explorer.exe
                                                                                                                                                                                                                                                                                                                        C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                          PID:5740
                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                                                                                                                                                                                                                          rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                          • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                          PID:6012
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                            rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                              PID:2384
                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                                                                                                                                                                                                                            rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                            • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                            PID:6140
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                              rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                PID:2104
                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                                                                                                                                                                                                                              rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                              PID:5192
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                  PID:5280
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 5280 -s 624
                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                    • Program crash
                                                                                                                                                                                                                                                                                                                                    PID:5860
                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\345A.exe
                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\345A.exe
                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                  PID:6340
                                                                                                                                                                                                                                                                                                                                  • C:\ProgramData\XGKAN6GVGMK3S3QW.exe
                                                                                                                                                                                                                                                                                                                                    "C:\ProgramData\XGKAN6GVGMK3S3QW.exe"
                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                      PID:7320
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /c taskkill /im 345A.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\345A.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                        PID:7384
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                          taskkill /im 345A.exe /f
                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                          • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                          PID:4320
                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\4A73.exe
                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\4A73.exe
                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                        PID:6316
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                                                                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                          PID:6464
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                            PID:5924

                                                                                                                                                                                                                                                                                                                                          Network

                                                                                                                                                                                                                                                                                                                                          MITRE ATT&CK Enterprise v6

                                                                                                                                                                                                                                                                                                                                          Replay Monitor

                                                                                                                                                                                                                                                                                                                                          Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                          Downloads

                                                                                                                                                                                                                                                                                                                                          • memory/68-224-0x0000027FAC210000-0x0000027FAC281000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            452KB

                                                                                                                                                                                                                                                                                                                                          • memory/340-211-0x0000026116740000-0x00000261167B1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            452KB

                                                                                                                                                                                                                                                                                                                                          • memory/744-319-0x0000000000E80000-0x0000000000E81000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                          • memory/744-342-0x00000000015A0000-0x00000000015A1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                          • memory/908-391-0x0000000005760000-0x0000000005761000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                          • memory/908-352-0x0000000077C60000-0x0000000077DEE000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            1.6MB

                                                                                                                                                                                                                                                                                                                                          • memory/908-358-0x0000000000390000-0x0000000000391000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                          • memory/1004-402-0x0000000000400000-0x00000000009F0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            5.9MB

                                                                                                                                                                                                                                                                                                                                          • memory/1004-401-0x00000000025E0000-0x000000000267D000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            628KB

                                                                                                                                                                                                                                                                                                                                          • memory/1096-215-0x0000029F00770000-0x0000029F007E1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            452KB

                                                                                                                                                                                                                                                                                                                                          • memory/1180-257-0x0000026034FB0000-0x0000026035021000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            452KB

                                                                                                                                                                                                                                                                                                                                          • memory/1204-200-0x000001618D480000-0x000001618D4CC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            304KB

                                                                                                                                                                                                                                                                                                                                          • memory/1204-205-0x000001618D540000-0x000001618D5B1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            452KB

                                                                                                                                                                                                                                                                                                                                          • memory/1356-209-0x00000287E7710000-0x00000287E7781000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            452KB

                                                                                                                                                                                                                                                                                                                                          • memory/1376-271-0x000002AD6F400000-0x000002AD6F471000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            452KB

                                                                                                                                                                                                                                                                                                                                          • memory/1400-317-0x0000000000400000-0x000000000041E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            120KB

                                                                                                                                                                                                                                                                                                                                          • memory/1400-376-0x0000000004F90000-0x0000000005596000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            6.0MB

                                                                                                                                                                                                                                                                                                                                          • memory/1428-229-0x000001F56A200000-0x000001F56A271000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            452KB

                                                                                                                                                                                                                                                                                                                                          • memory/1908-252-0x000001430C400000-0x000001430C471000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            452KB

                                                                                                                                                                                                                                                                                                                                          • memory/2568-295-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                          • memory/2568-275-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                          • memory/2568-226-0x0000000000D40000-0x0000000000D55000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            84KB

                                                                                                                                                                                                                                                                                                                                          • memory/2568-340-0x0000000000E10000-0x0000000000E20000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                          • memory/2568-253-0x0000000000D60000-0x0000000000D70000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                          • memory/2568-359-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                          • memory/2568-369-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                          • memory/2568-375-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                          • memory/2568-372-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                          • memory/2568-400-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                          • memory/2568-399-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                          • memory/2568-265-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                          • memory/2568-380-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                          • memory/2568-383-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                          • memory/2568-273-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                          • memory/2568-396-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                          • memory/2568-397-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                          • memory/2568-361-0x0000000000E10000-0x0000000000E20000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                          • memory/2568-298-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                          • memory/2568-297-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            64KB

                                                                                                                                                                                                                                                                                                                                          • memory/2576-207-0x00000154C7CD0000-0x00000154C7D41000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            452KB

                                                                                                                                                                                                                                                                                                                                          • memory/2604-185-0x0000000004AD6000-0x0000000004BD7000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            1.0MB

                                                                                                                                                                                                                                                                                                                                          • memory/2604-186-0x00000000032E0000-0x000000000333D000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            372KB

                                                                                                                                                                                                                                                                                                                                          • memory/2608-213-0x000002209BB00000-0x000002209BB71000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            452KB

                                                                                                                                                                                                                                                                                                                                          • memory/2756-208-0x0000028AEBFA0000-0x0000028AEC011000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            452KB

                                                                                                                                                                                                                                                                                                                                          • memory/2836-291-0x000001B333A40000-0x000001B333AB1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            452KB

                                                                                                                                                                                                                                                                                                                                          • memory/2852-293-0x000001D2CBB40000-0x000001D2CBBB1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            452KB

                                                                                                                                                                                                                                                                                                                                          • memory/3712-202-0x0000000000060000-0x0000000000061000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                          • memory/3808-172-0x0000000000030000-0x0000000000039000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            36KB

                                                                                                                                                                                                                                                                                                                                          • memory/3808-174-0x0000000000400000-0x0000000000896000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            4.6MB

                                                                                                                                                                                                                                                                                                                                          • memory/3824-156-0x00000000006B0000-0x00000000006B1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                          • memory/3824-163-0x000000001B3D0000-0x000000001B3D2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            8KB

                                                                                                                                                                                                                                                                                                                                          • memory/3828-133-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            152KB

                                                                                                                                                                                                                                                                                                                                          • memory/3828-136-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            100KB

                                                                                                                                                                                                                                                                                                                                          • memory/3828-131-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            572KB

                                                                                                                                                                                                                                                                                                                                          • memory/3828-132-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            1.5MB

                                                                                                                                                                                                                                                                                                                                          • memory/3828-134-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            100KB

                                                                                                                                                                                                                                                                                                                                          • memory/3828-135-0x0000000000400000-0x000000000051D000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            1.1MB

                                                                                                                                                                                                                                                                                                                                          • memory/3828-137-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            100KB

                                                                                                                                                                                                                                                                                                                                          • memory/3828-138-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            100KB

                                                                                                                                                                                                                                                                                                                                          • memory/3948-180-0x0000000000A00000-0x0000000000B4A000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            1.3MB

                                                                                                                                                                                                                                                                                                                                          • memory/3948-181-0x0000000000400000-0x00000000008F2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            4.9MB

                                                                                                                                                                                                                                                                                                                                          • memory/4232-356-0x00000000057A0000-0x0000000005DA6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            6.0MB

                                                                                                                                                                                                                                                                                                                                          • memory/4232-316-0x0000000000400000-0x000000000041E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            120KB

                                                                                                                                                                                                                                                                                                                                          • memory/4244-406-0x00000000008B0000-0x00000000008F7000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            284KB

                                                                                                                                                                                                                                                                                                                                          • memory/4288-259-0x00000000053A0000-0x00000000053A1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                          • memory/4288-233-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                          • memory/4288-244-0x0000000005420000-0x0000000005421000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                          • memory/4288-260-0x0000000005640000-0x0000000005641000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                          • memory/4332-320-0x0000000000400000-0x000000000041E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            120KB

                                                                                                                                                                                                                                                                                                                                          • memory/4332-355-0x0000000005740000-0x0000000005D46000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            6.0MB

                                                                                                                                                                                                                                                                                                                                          • memory/4368-392-0x0000000000400000-0x00000000004A1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            644KB

                                                                                                                                                                                                                                                                                                                                          • memory/4372-269-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                          • memory/4372-238-0x0000000000100000-0x0000000000101000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                          • memory/4380-254-0x0000000000A00000-0x0000000000A01000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                          • memory/4380-280-0x00000000054D0000-0x00000000054D1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                          • memory/4456-365-0x0000000077C60000-0x0000000077DEE000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            1.6MB

                                                                                                                                                                                                                                                                                                                                          • memory/4456-364-0x0000000000F20000-0x0000000000F21000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                          • memory/4456-393-0x0000000005FD0000-0x0000000005FD1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                          • memory/4536-245-0x0000000000B50000-0x0000000000B51000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                          • memory/4536-299-0x00000000054D0000-0x00000000054D1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                          • memory/4536-368-0x00000000053F0000-0x00000000053FF000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            60KB

                                                                                                                                                                                                                                                                                                                                          • memory/4816-290-0x0000000004D10000-0x0000000004D11000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                          • memory/4816-264-0x0000000000430000-0x0000000000431000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                          • memory/4816-278-0x0000000005260000-0x0000000005261000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                          • memory/4816-334-0x0000000004D50000-0x0000000004D51000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                          • memory/4816-335-0x0000000004C50000-0x0000000005256000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            6.0MB

                                                                                                                                                                                                                                                                                                                                          • memory/4816-282-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                          • memory/5032-301-0x0000000000E10000-0x0000000000E11000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                          • memory/5032-330-0x0000000005830000-0x0000000005831000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                          • memory/5056-294-0x0000000000400000-0x000000000064F000-memory.dmp

                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                            2.3MB