djvu | 90aa6a7c770f2c0f49596731c80fda7d044802dea9e905ff999b39cda5428407

Resubmissions

07/09/2021, 17:58

210907-wkd7wadah9 10

07/09/2021, 17:45

210907-wb81wsdag7 10

Analysis

max time kernel
24s
max time network
616s
platform
windows10_x64
resource
win10-jp
submitted
07/09/2021, 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_x86_x64_install.exe
Size

2.9MB
MD5

3f1f81101d0ce95fdfac97f5913cd662
SHA1

8e615a64e4d72b08926242b7d73a608bdd7e9fce
SHA256

90aa6a7c770f2c0f49596731c80fda7d044802dea9e905ff999b39cda5428407
SHA512

a776c1f8636ef90d294becf8d09a45366463364026837c19e13227c1c5c9a6656b6fa525e0eec5a1a46997b6ef7066e958c02523a7c4538d046f8b2091145285

Malware Config

Extracted

Family

vidar

Version

40.5

Botnet

706

https://gheorghip.tumblr.com/

Attributes

profile_id
706

Extracted

Family

redline

Botnet

Jayson

95.181.172.207:56915

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

vidar

Version

40.5

Botnet

916

https://gheorghip.tumblr.com/

Attributes

profile_id
916

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 1 IoCs

resource	yara_rule
behavioral7/memory/5680-564-0x00000000050D0000-0x00000000059EE000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	4376	rundll32.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8420	4376	rundll32.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8164	4376	rundll32.exe	38

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 7 IoCs

resource	yara_rule
behavioral7/memory/2656-231-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral7/memory/2656-233-0x000000000041C5E2-mapping.dmp	family_redline
behavioral7/memory/2308-326-0x000000000041C5E2-mapping.dmp	family_redline
behavioral7/memory/4440-363-0x000000000041C5E2-mapping.dmp	family_redline
behavioral7/memory/5272-434-0x000000000041C5E2-mapping.dmp	family_redline
behavioral7/memory/6020-477-0x000000000041C5E2-mapping.dmp	family_redline
behavioral7/memory/6064-561-0x000000000041C5E2-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

resource	yara_rule
behavioral7/files/0x000400000001ab61-156.dat	family_socelars
behavioral7/files/0x000400000001ab61-186.dat	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

rl_trojan 4 IoCs

redline stealer.

stealer

resource	yara_rule
behavioral7/files/0x000400000001ab65-152.dat	redline
behavioral7/files/0x000400000001ab65-181.dat	redline
behavioral7/files/0x000400000001ab65-237.dat	redline
behavioral7/files/0x000400000001ab65-304.dat	redline

Vidar Stealer 4 IoCs

stealer

resource	yara_rule
behavioral7/memory/1576-209-0x00000000047D0000-0x00000000048A1000-memory.dmp	family_vidar
behavioral7/memory/1576-221-0x0000000000400000-0x0000000002BB2000-memory.dmp	family_vidar
behavioral7/memory/4624-322-0x00000000048E0000-0x00000000049B1000-memory.dmp	family_vidar
behavioral7/memory/4624-349-0x0000000000400000-0x0000000002BB2000-memory.dmp	family_vidar

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral7/files/0x000400000001ab58-124.dat	aspack_v212_v242
behavioral7/files/0x000400000001ab58-125.dat	aspack_v212_v242
behavioral7/files/0x000400000001ab59-122.dat	aspack_v212_v242
behavioral7/files/0x000400000001ab59-127.dat	aspack_v212_v242
behavioral7/files/0x000400000001ab5b-128.dat	aspack_v212_v242
behavioral7/files/0x000400000001ab5b-131.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 23 IoCs

pid	Process
4372	setup_installer.exe
4084	setup_install.exe
1576	Tue112c483dd3245d.exe
1512	Tue11b9d76a96506.exe
1696	Tue11d7385a978cc.exe
1508	Tue11f251db82fb7b.exe
1924	Tue11bc0507b56295.exe
2068	Tue1109eec571ac.exe
4548	Tue11141271fbe5877f.exe
2672	Tue11e4e580f2e8141a3.exe
2704	Tue118f55232e4.exe
4436	Tue11b9d76a96506.tmp
4684	LzmwAqmV.exe
2116	46807GHF____.exe
3932	MsiExec.exe
3904	UltraMediaBurner.exe
2656	Tue11e4e580f2e8141a3.exe
4624	Alfanewfile2.exe
612	2.exe
1212	8463392.exe
4444	3688387.exe
4368	setup.exe
3944	Tue11e4e580f2e8141a3.exe

Loads dropped DLL 7 IoCs

pid	Process
4084	setup_install.exe
4084	setup_install.exe
4084	setup_install.exe
4084	setup_install.exe
4084	setup_install.exe
4084	setup_install.exe
4436	Tue11b9d76a96506.tmp

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3320	icacls.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Tue11b9d76a96506.tmp

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
55	ip-api.com
95	ip-api.com
416	api.2ip.ua
417	api.2ip.ua
518	api.2ip.ua

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2672 set thread context of 2656	2672	Tue11e4e580f2e8141a3.exe	101

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 31 IoCs

pid	pid_target	Process	procid_target
3908	2068	WerFault.exe	104
4572	2068	WerFault.exe	104
3880	4368	WerFault.exe	114
5480	4368	WerFault.exe	114
5296	2068	WerFault.exe	104
5940	4368	WerFault.exe	114
5816	2068	WerFault.exe	104
5216	4368	WerFault.exe	114
5720	4368	WerFault.exe	114
5944	4368	WerFault.exe	114
3880	2068	WerFault.exe	104
6060	4368	WerFault.exe	114
5628	4368	WerFault.exe	114
5668	4368	WerFault.exe	114
5572	2068	WerFault.exe	104
5776	2068	WerFault.exe	104
4284	2068	WerFault.exe	104
7312	9020	WerFault.exe	193
6540	1212	WerFault.exe	113
6680	9028	WerFault.exe	192
6972	9028	WerFault.exe	192
7108	9028	WerFault.exe	192
3920	9028	WerFault.exe	192
7372	9028	WerFault.exe	192
7652	8652	WerFault.exe	202
7716	8652	WerFault.exe	202
7768	8652	WerFault.exe	202
7900	8652	WerFault.exe	202
8012	8652	WerFault.exe	202
8940	9028	WerFault.exe	192
3528	9028	WerFault.exe	192

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue11bc0507b56295.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue11bc0507b56295.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue11bc0507b56295.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2272	schtasks.exe
4212	schtasks.exe
2640	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
8108	timeout.exe
8120	timeout.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
8376	taskkill.exe
2324	taskkill.exe
6572	taskkill.exe
6664	taskkill.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	19	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
364	powershell.exe
364	powershell.exe
364	powershell.exe
1924	Tue11bc0507b56295.exe
1924	Tue11bc0507b56295.exe
364	powershell.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeDebugPrivilege	1508	Tue11f251db82fb7b.exe
Token: SeCreateTokenPrivilege	2704	Tue118f55232e4.exe
Token: SeAssignPrimaryTokenPrivilege	2704	Tue118f55232e4.exe
Token: SeLockMemoryPrivilege	2704	Tue118f55232e4.exe
Token: SeIncreaseQuotaPrivilege	2704	Tue118f55232e4.exe
Token: SeMachineAccountPrivilege	2704	Tue118f55232e4.exe
Token: SeTcbPrivilege	2704	Tue118f55232e4.exe
Token: SeSecurityPrivilege	2704	Tue118f55232e4.exe
Token: SeTakeOwnershipPrivilege	2704	Tue118f55232e4.exe
Token: SeLoadDriverPrivilege	2704	Tue118f55232e4.exe
Token: SeSystemProfilePrivilege	2704	Tue118f55232e4.exe
Token: SeSystemtimePrivilege	2704	Tue118f55232e4.exe
Token: SeProfSingleProcessPrivilege	2704	Tue118f55232e4.exe
Token: SeIncBasePriorityPrivilege	2704	Tue118f55232e4.exe
Token: SeCreatePagefilePrivilege	2704	Tue118f55232e4.exe
Token: SeCreatePermanentPrivilege	2704	Tue118f55232e4.exe
Token: SeBackupPrivilege	2704	Tue118f55232e4.exe
Token: SeRestorePrivilege	2704	Tue118f55232e4.exe
Token: SeShutdownPrivilege	2704	Tue118f55232e4.exe
Token: SeDebugPrivilege	2704	Tue118f55232e4.exe
Token: SeAuditPrivilege	2704	Tue118f55232e4.exe
Token: SeSystemEnvironmentPrivilege	2704	Tue118f55232e4.exe
Token: SeChangeNotifyPrivilege	2704	Tue118f55232e4.exe
Token: SeRemoteShutdownPrivilege	2704	Tue118f55232e4.exe
Token: SeUndockPrivilege	2704	Tue118f55232e4.exe
Token: SeSyncAgentPrivilege	2704	Tue118f55232e4.exe
Token: SeEnableDelegationPrivilege	2704	Tue118f55232e4.exe
Token: SeManageVolumePrivilege	2704	Tue118f55232e4.exe
Token: SeImpersonatePrivilege	2704	Tue118f55232e4.exe
Token: SeCreateGlobalPrivilege	2704	Tue118f55232e4.exe
Token: 31	2704	Tue118f55232e4.exe
Token: 32	2704	Tue118f55232e4.exe
Token: 33	2704	Tue118f55232e4.exe
Token: 34	2704	Tue118f55232e4.exe
Token: 35	2704	Tue118f55232e4.exe
Token: SeDebugPrivilege	364	powershell.exe
Token: SeDebugPrivilege	4548	Tue11141271fbe5877f.exe
Token: SeDebugPrivilege	612	2.exe
Token: SeDebugPrivilege	3904	UltraMediaBurner.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 4372	5020	setup_x86_x64_install.exe	83
PID 5020 wrote to memory of 4372	5020	setup_x86_x64_install.exe	83
PID 5020 wrote to memory of 4372	5020	setup_x86_x64_install.exe	83
PID 4372 wrote to memory of 4084	4372	setup_installer.exe	84
PID 4372 wrote to memory of 4084	4372	setup_installer.exe	84
PID 4372 wrote to memory of 4084	4372	setup_installer.exe	84
PID 4084 wrote to memory of 4584	4084	setup_install.exe	87
PID 4084 wrote to memory of 4584	4084	setup_install.exe	87
PID 4084 wrote to memory of 4584	4084	setup_install.exe	87
PID 4084 wrote to memory of 3296	4084	setup_install.exe	88
PID 4084 wrote to memory of 3296	4084	setup_install.exe	88
PID 4084 wrote to memory of 3296	4084	setup_install.exe	88
PID 4084 wrote to memory of 500	4084	setup_install.exe	92
PID 4084 wrote to memory of 500	4084	setup_install.exe	92
PID 4084 wrote to memory of 500	4084	setup_install.exe	92
PID 4084 wrote to memory of 4728	4084	setup_install.exe	91
PID 4084 wrote to memory of 4728	4084	setup_install.exe	91
PID 4084 wrote to memory of 4728	4084	setup_install.exe	91
PID 4084 wrote to memory of 640	4084	setup_install.exe	89
PID 4084 wrote to memory of 640	4084	setup_install.exe	89
PID 4084 wrote to memory of 640	4084	setup_install.exe	89
PID 4084 wrote to memory of 896	4084	setup_install.exe	90
PID 4084 wrote to memory of 896	4084	setup_install.exe	90
PID 4084 wrote to memory of 896	4084	setup_install.exe	90
PID 4084 wrote to memory of 996	4084	setup_install.exe	93
PID 4084 wrote to memory of 996	4084	setup_install.exe	93
PID 4084 wrote to memory of 996	4084	setup_install.exe	93
PID 4584 wrote to memory of 364	4584	cmd.exe	108
PID 4584 wrote to memory of 364	4584	cmd.exe	108
PID 4584 wrote to memory of 364	4584	cmd.exe	108
PID 4084 wrote to memory of 680	4084	setup_install.exe	95
PID 4084 wrote to memory of 680	4084	setup_install.exe	95
PID 4084 wrote to memory of 680	4084	setup_install.exe	95
PID 4084 wrote to memory of 1160	4084	setup_install.exe	94
PID 4084 wrote to memory of 1160	4084	setup_install.exe	94
PID 4084 wrote to memory of 1160	4084	setup_install.exe	94
PID 4084 wrote to memory of 1196	4084	setup_install.exe	96
PID 4084 wrote to memory of 1196	4084	setup_install.exe	96
PID 4084 wrote to memory of 1196	4084	setup_install.exe	96
PID 1196 wrote to memory of 1576	1196	cmd.exe	98
PID 1196 wrote to memory of 1576	1196	cmd.exe	98
PID 1196 wrote to memory of 1576	1196	cmd.exe	98
PID 500 wrote to memory of 1512	500	cmd.exe	107
PID 500 wrote to memory of 1512	500	cmd.exe	107
PID 500 wrote to memory of 1512	500	cmd.exe	107
PID 4728 wrote to memory of 1508	4728	6574530.exe	106
PID 4728 wrote to memory of 1508	4728	6574530.exe	106
PID 3296 wrote to memory of 1696	3296	cmd.exe	97
PID 3296 wrote to memory of 1696	3296	cmd.exe	97
PID 3296 wrote to memory of 1696	3296	cmd.exe	97
PID 896 wrote to memory of 1924	896	cmd.exe	105
PID 896 wrote to memory of 1924	896	cmd.exe	105
PID 896 wrote to memory of 1924	896	cmd.exe	105
PID 640 wrote to memory of 2068	640	cmd.exe	104
PID 640 wrote to memory of 2068	640	cmd.exe	104
PID 640 wrote to memory of 2068	640	cmd.exe	104
PID 680 wrote to memory of 4548	680	cmd.exe	103
PID 680 wrote to memory of 4548	680	cmd.exe	103
PID 996 wrote to memory of 2672	996	cmd.exe	99
PID 996 wrote to memory of 2672	996	cmd.exe	99
PID 996 wrote to memory of 2672	996	cmd.exe	99
PID 1160 wrote to memory of 2704	1160	cmd.exe	100
PID 1160 wrote to memory of 2704	1160	cmd.exe	100
PID 1160 wrote to memory of 2704	1160	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS41107F34\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4084
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4584
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:364
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11d7385a978cc.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3296
    - - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11d7385a978cc.exe
        
        Tue11d7385a978cc.exe
        5⤵
        Executes dropped EXE
        
        PID:1696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue1109eec571ac.exe /mixone
      4⤵
      Suspicious use of WriteProcessMemory
      PID:640
    - - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue1109eec571ac.exe
        
        Tue1109eec571ac.exe /mixone
        5⤵
        Executes dropped EXE
        
        PID:2068
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 656
        6⤵
        Program crash
        
        PID:3908
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 672
        6⤵
        Program crash
        
        PID:4572
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 680
        6⤵
        Program crash
        
        PID:5296
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 636
        6⤵
        Program crash
        
        PID:5816
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 880
        6⤵
        Program crash
        
        PID:3880
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 864
        6⤵
        Program crash
        
        PID:5572
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 1148
        6⤵
        Program crash
        
        PID:5776
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 1140
        6⤵
        Program crash
        
        PID:4284
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11bc0507b56295.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:896
    - - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11bc0507b56295.exe
        
        Tue11bc0507b56295.exe
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        
        PID:1924
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11f251db82fb7b.exe
      4⤵
      PID:4728
    - - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11f251db82fb7b.exe
        
        Tue11f251db82fb7b.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
      - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        Executes dropped EXE
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        7⤵
        
        PID:3932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        8⤵
        
        PID:2252
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        9⤵
        Creates scheduled task(s)
        
        PID:2272
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        8⤵
        
        PID:1816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        9⤵
        
        PID:6508
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        10⤵
        Creates scheduled task(s)
        
        PID:4212
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        9⤵
        
        PID:4296
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        9⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
        7⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Roaming\5806151.exe
        
        "C:\Users\Admin\AppData\Roaming\5806151.exe"
        8⤵
        
        PID:5528
        
        C:\Users\Admin\AppData\Roaming\7393419.exe
        
        "C:\Users\Admin\AppData\Roaming\7393419.exe"
        8⤵
        
        PID:5432
        
        C:\Users\Admin\AppData\Roaming\6574530.exe
        
        "C:\Users\Admin\AppData\Roaming\6574530.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Users\Admin\AppData\Roaming\3843868.exe
        
        "C:\Users\Admin\AppData\Roaming\3843868.exe"
        8⤵
        
        PID:5912
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        Executes dropped EXE
        
        PID:4368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 768
        8⤵
        Program crash
        
        PID:3880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 840
        8⤵
        Program crash
        
        PID:5480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 856
        8⤵
        Program crash
        
        PID:5940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 900
        8⤵
        Program crash
        
        PID:5216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 964
        8⤵
        Program crash
        
        PID:5720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 1092
        8⤵
        Program crash
        
        PID:5944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 1404
        8⤵
        Program crash
        
        PID:6060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 1368
        8⤵
        Program crash
        
        PID:5628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 1396
        8⤵
        Program crash
        
        PID:5668
        
        C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
        7⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
        7⤵
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe"
        7⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
        8⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        7⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:612
        
        C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        8⤵
        
        PID:5680
        
        C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        9⤵
        
        PID:8372
        
        C:\Users\Admin\AppData\Local\Temp\Alfanewfile2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alfanewfile2.exe"
        7⤵
        Executes dropped EXE
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im Alfanewfile2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Alfanewfile2.exe" & del C:\ProgramData\*.dll & exit
        8⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im Alfanewfile2.exe /f
        9⤵
        Kills process with taskkill
        
        PID:6572
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        9⤵
        Delays execution with timeout.exe
        
        PID:8108
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11b9d76a96506.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:500
    - - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11b9d76a96506.exe
        
        Tue11b9d76a96506.exe
        5⤵
        Executes dropped EXE
        
        PID:1512
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11e4e580f2e8141a3.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:996
    - - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        Tue11e4e580f2e8141a3.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2672
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:2656
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2308
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4336
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4440
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5272
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6020
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5628
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6064
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4080
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5164
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5484
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4340
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6928
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9020 -s 24
        7⤵
        Program crash
        
        PID:7312
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6908
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5460
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6528
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1216
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7744
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8276
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8420
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4140
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7044
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5804
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6668
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8144
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9144
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4692
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8128
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6252
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7664
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:800
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6576
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7228
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4700
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8856
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7872
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3960
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3968
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4292
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7656
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1268
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5488
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8216
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7988
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:3944
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4572
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4428
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5696
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4500
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4712
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7900
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7952
      - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8688
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue118f55232e4.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1160
    - - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue118f55232e4.exe
        
        Tue118f55232e4.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:2324
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11141271fbe5877f.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:680
    - - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11141271fbe5877f.exe
        
        Tue11141271fbe5877f.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4548
      - C:\ProgramData\8463392.exe
        
        "C:\ProgramData\8463392.exe"
        6⤵
        Executes dropped EXE
        
        PID:1212
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1212 -s 1936
        7⤵
        Program crash
        
        PID:6540
      - C:\ProgramData\6241701.exe
        
        "C:\ProgramData\6241701.exe"
        6⤵
        
        PID:3452
      - C:\ProgramData\3688387.exe
        
        "C:\ProgramData\3688387.exe"
        6⤵
        Executes dropped EXE
        
        PID:4444
      - C:\ProgramData\3767081.exe
        
        "C:\ProgramData\3767081.exe"
        6⤵
        
        PID:5008
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue112c483dd3245d.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1196
    - - C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue112c483dd3245d.exe
        
        Tue112c483dd3245d.exe
        5⤵
        Executes dropped EXE
        
        PID:1576
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im Tue112c483dd3245d.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue112c483dd3245d.exe" & del C:\ProgramData\*.dll & exit
        6⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im Tue112c483dd3245d.exe /f
        7⤵
        Kills process with taskkill
        
        PID:6664
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        7⤵
        Delays execution with timeout.exe
        
        PID:8120

C:\Users\Admin\AppData\Local\Temp\is-KLFS3.tmp\Tue11b9d76a96506.tmp
"C:\Users\Admin\AppData\Local\Temp\is-KLFS3.tmp\Tue11b9d76a96506.tmp" /SL5="$50032,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS41107F34\Tue11b9d76a96506.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4436
- C:\Users\Admin\AppData\Local\Temp\is-2JQNT.tmp\46807GHF____.exe
  "C:\Users\Admin\AppData\Local\Temp\is-2JQNT.tmp\46807GHF____.exe" /S /UID=burnerch2
  2⤵
  - Executes dropped EXE
  PID:2116
- - C:\Program Files\MSBuild\HLMAZVSNDK\ultramediaburner.exe
    "C:\Program Files\MSBuild\HLMAZVSNDK\ultramediaburner.exe" /VERYSILENT
    3⤵
    PID:5416
  - - C:\Users\Admin\AppData\Local\Temp\is-611UB.tmp\ultramediaburner.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-611UB.tmp\ultramediaburner.tmp" /SL5="$800FA,281924,62464,C:\Program Files\MSBuild\HLMAZVSNDK\ultramediaburner.exe" /VERYSILENT
      4⤵
      PID:2400
    - - C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3904
- - C:\Users\Admin\AppData\Local\Temp\3f-3ac3f-0d9-d0694-dff13b2eb9884\Vihylozhaka.exe
    "C:\Users\Admin\AppData\Local\Temp\3f-3ac3f-0d9-d0694-dff13b2eb9884\Vihylozhaka.exe"
    3⤵
    PID:5964
- - C:\Users\Admin\AppData\Local\Temp\a9-b2858-6b0-582b4-0bedea6beab55\Lishacidege.exe
    "C:\Users\Admin\AppData\Local\Temp\a9-b2858-6b0-582b4-0bedea6beab55\Lishacidege.exe"
    3⤵
    PID:5852
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\d5xsi3sb.p4j\GcleanerEU.exe /eufive & exit
      4⤵
      PID:6584
    - - C:\Users\Admin\AppData\Local\Temp\d5xsi3sb.p4j\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\d5xsi3sb.p4j\GcleanerEU.exe /eufive
        5⤵
        
        PID:9028
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9028 -s 652
        6⤵
        Program crash
        
        PID:6680
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9028 -s 668
        6⤵
        Program crash
        
        PID:6972
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9028 -s 768
        6⤵
        Program crash
        
        PID:7108
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9028 -s 816
        6⤵
        Program crash
        
        PID:3920
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9028 -s 884
        6⤵
        Program crash
        
        PID:7372
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9028 -s 932
        6⤵
        Program crash
        
        PID:8940
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9028 -s 1108
        6⤵
        Program crash
        
        PID:3528
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bjsvy03t.rfk\installer.exe /qn CAMPAIGN="654" & exit
      4⤵
      PID:8700
    - - C:\Users\Admin\AppData\Local\Temp\bjsvy03t.rfk\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\bjsvy03t.rfk\installer.exe /qn CAMPAIGN="654"
        5⤵
        
        PID:9120
      - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\bjsvy03t.rfk\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\bjsvy03t.rfk\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1630777742 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        6⤵
        
        PID:6804
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vigpl2qo.y0c\anyname.exe & exit
      4⤵
      PID:8532
    - - C:\Users\Admin\AppData\Local\Temp\vigpl2qo.y0c\anyname.exe
        
        C:\Users\Admin\AppData\Local\Temp\vigpl2qo.y0c\anyname.exe
        5⤵
        
        PID:8396
      - C:\Users\Admin\AppData\Local\Temp\vigpl2qo.y0c\anyname.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vigpl2qo.y0c\anyname.exe" -u
        6⤵
        
        PID:3832
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\sh331yxb.40d\gcleaner.exe /mixfive & exit
      4⤵
      PID:8848
    - - C:\Users\Admin\AppData\Local\Temp\sh331yxb.40d\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\sh331yxb.40d\gcleaner.exe /mixfive
        5⤵
        
        PID:8652
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8652 -s 652
        6⤵
        Program crash
        
        PID:7652
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8652 -s 668
        6⤵
        Program crash
        
        PID:7716
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8652 -s 672
        6⤵
        Program crash
        
        PID:7768
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8652 -s 804
        6⤵
        Program crash
        
        PID:7900
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8652 -s 876
        6⤵
        Program crash
        
        PID:8012
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4aqu30j2.mpa\autosubplayer.exe /S & exit
      4⤵
      PID:6276

C:\Users\Admin\AppData\Local\Temp\setup_2.exe
"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
1⤵
PID:3212
- C:\Users\Admin\AppData\Local\Temp\is-8T9JA.tmp\setup_2.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-8T9JA.tmp\setup_2.tmp" /SL5="$2027E,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
  2⤵
  PID:4296

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
1⤵
PID:4336

C:\Users\Admin\AppData\Local\Temp\is-UDN82.tmp\setup_2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UDN82.tmp\setup_2.tmp" /SL5="$20212,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
1⤵
PID:1536

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
PID:4860

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:4660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:5136

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
PID:8440

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:8420

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:8444

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:972

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:7020
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D16327BAEF301FD58D978EE75A34A165 C
  2⤵
  PID:3200
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding AB80F478305D63B332EEE1DE300FC89F
  2⤵
  - Executes dropped EXE
  PID:3932
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:8376
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BAA6BCDB4D3FBF6DD6663E77AC7A5CC6 E Global\MSI0000
  2⤵
  PID:6296

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7248

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7440

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:8164
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:8180

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5424

C:\Users\Admin\AppData\Local\Temp\F02D.exe
C:\Users\Admin\AppData\Local\Temp\F02D.exe
1⤵
PID:6604

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4588

C:\Users\Admin\AppData\Local\Temp\963.exe
C:\Users\Admin\AppData\Local\Temp\963.exe
1⤵
PID:4008

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9132

C:\Users\Admin\AppData\Local\Temp\49F7.exe
C:\Users\Admin\AppData\Local\Temp\49F7.exe
1⤵
PID:8412
- C:\Users\Admin\AppData\Local\Temp\49F7.exe
  C:\Users\Admin\AppData\Local\Temp\49F7.exe
  2⤵
  PID:5748
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\39d8d54e-01d1-48b9-bf32-0ef00879d514" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:3320
- - C:\Users\Admin\AppData\Local\Temp\49F7.exe
    "C:\Users\Admin\AppData\Local\Temp\49F7.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    PID:8380
  - - C:\Users\Admin\AppData\Local\Temp\49F7.exe
      "C:\Users\Admin\AppData\Local\Temp\49F7.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      PID:3504
    - - C:\Users\Admin\AppData\Local\ad5c17df-0727-4615-b3bb-015f2812a1fb\build2.exe
        
        "C:\Users\Admin\AppData\Local\ad5c17df-0727-4615-b3bb-015f2812a1fb\build2.exe"
        5⤵
        
        PID:6052
      - C:\Users\Admin\AppData\Local\ad5c17df-0727-4615-b3bb-015f2812a1fb\build2.exe
        
        "C:\Users\Admin\AppData\Local\ad5c17df-0727-4615-b3bb-015f2812a1fb\build2.exe"
        6⤵
        
        PID:8840
    - - C:\Users\Admin\AppData\Local\ad5c17df-0727-4615-b3bb-015f2812a1fb\build3.exe
        
        "C:\Users\Admin\AppData\Local\ad5c17df-0727-4615-b3bb-015f2812a1fb\build3.exe"
        5⤵
        
        PID:7864
      - C:\Users\Admin\AppData\Local\ad5c17df-0727-4615-b3bb-015f2812a1fb\build3.exe
        
        "C:\Users\Admin\AppData\Local\ad5c17df-0727-4615-b3bb-015f2812a1fb\build3.exe"
        6⤵
        
        PID:9180
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:2640

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:8604

C:\Users\Admin\AppData\Local\Temp\735A.exe
C:\Users\Admin\AppData\Local\Temp\735A.exe
1⤵
PID:6536

C:\Users\Admin\AppData\Local\Temp\A018.exe
C:\Users\Admin\AppData\Local\Temp\A018.exe
1⤵
PID:504
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\A018.exe"
  2⤵
  PID:8664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/340-379-0x0000024077F40000-0x0000024077FB4000-memory.dmp

Filesize
464KB

Download
memory/364-203-0x00000000073F0000-0x00000000073F1000-memory.dmp

Filesize
4KB

Download
memory/364-187-0x00000000074F0000-0x00000000074F1000-memory.dmp

Filesize
4KB

Download
memory/364-180-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/364-204-0x0000000007440000-0x0000000007441000-memory.dmp

Filesize
4KB

Download
memory/364-205-0x0000000007D60000-0x0000000007D61000-memory.dmp

Filesize
4KB

Download
memory/364-206-0x0000000007B80000-0x0000000007B81000-memory.dmp

Filesize
4KB

Download
memory/364-192-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/364-219-0x0000000008380000-0x0000000008381000-memory.dmp

Filesize
4KB

Download
memory/364-207-0x0000000007DD0000-0x0000000007DD1000-memory.dmp

Filesize
4KB

Download
memory/364-212-0x00000000074D0000-0x00000000074D1000-memory.dmp

Filesize
4KB

Download
memory/364-211-0x0000000008230000-0x0000000008231000-memory.dmp

Filesize
4KB

Download
memory/364-200-0x00000000072B0000-0x00000000072B1000-memory.dmp

Filesize
4KB

Download
memory/364-190-0x0000000004DE2000-0x0000000004DE3000-memory.dmp

Filesize
4KB

Download
memory/364-414-0x000000007EB00000-0x000000007EB01000-memory.dmp

Filesize
4KB

Download
memory/364-464-0x0000000004DE3000-0x0000000004DE4000-memory.dmp

Filesize
4KB

Download
memory/612-271-0x000000001BB70000-0x000000001BB72000-memory.dmp

Filesize
8KB

Download
memory/612-255-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/1048-449-0x000001D15F2A0000-0x000001D15F314000-memory.dmp

Filesize
464KB

Download
memory/1108-420-0x0000028A9D140000-0x0000028A9D1B4000-memory.dmp

Filesize
464KB

Download
memory/1176-466-0x0000015993510000-0x0000015993584000-memory.dmp

Filesize
464KB

Download
memory/1212-293-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/1212-260-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/1212-297-0x0000000000F10000-0x0000000000F12000-memory.dmp

Filesize
8KB

Download
memory/1212-282-0x0000000000E60000-0x0000000000EAB000-memory.dmp

Filesize
300KB

Download
memory/1212-272-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/1380-483-0x000001FF9B780000-0x000001FF9B7F4000-memory.dmp

Filesize
464KB

Download
memory/1400-452-0x000001123B170000-0x000001123B1E4000-memory.dmp

Filesize
464KB

Download
memory/1508-193-0x0000000000B90000-0x0000000000B92000-memory.dmp

Filesize
8KB

Download
memory/1508-171-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/1512-185-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1536-301-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1576-221-0x0000000000400000-0x0000000002BB2000-memory.dmp

Filesize
39.7MB

Download
memory/1576-209-0x00000000047D0000-0x00000000048A1000-memory.dmp

Filesize
836KB

Download
memory/1924-208-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download
memory/1924-218-0x0000000000400000-0x0000000002B48000-memory.dmp

Filesize
39.3MB

Download
memory/1928-457-0x0000017DEC0B0000-0x0000017DEC124000-memory.dmp

Filesize
464KB

Download
memory/2068-220-0x0000000000400000-0x0000000002B61000-memory.dmp

Filesize
39.4MB

Download
memory/2068-210-0x00000000047A0000-0x00000000047E8000-memory.dmp

Filesize
288KB

Download
memory/2116-248-0x0000000000E20000-0x0000000000E22000-memory.dmp

Filesize
8KB

Download
memory/2172-296-0x0000000000850000-0x0000000000865000-memory.dmp

Filesize
84KB

Download
memory/2308-366-0x0000000004FA0000-0x00000000055A6000-memory.dmp

Filesize
6.0MB

Download
memory/2360-417-0x0000023087EA0000-0x0000023087F14000-memory.dmp

Filesize
464KB

Download
memory/2372-424-0x0000020B45DD0000-0x0000020B45E44000-memory.dmp

Filesize
464KB

Download
memory/2572-361-0x000001A9C3A00000-0x000001A9C3A74000-memory.dmp

Filesize
464KB

Download
memory/2656-280-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/2656-249-0x0000000005980000-0x0000000005981000-memory.dmp

Filesize
4KB

Download
memory/2656-259-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/2656-231-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2656-265-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/2656-279-0x0000000005370000-0x0000000005976000-memory.dmp

Filesize
6.0MB

Download
memory/2672-197-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/2672-194-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/2672-199-0x0000000005900000-0x0000000005901000-memory.dmp

Filesize
4KB

Download
memory/2672-182-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/2680-489-0x000001D108400000-0x000001D108474000-memory.dmp

Filesize
464KB

Download
memory/2696-486-0x000001D81F080000-0x000001D81F0F4000-memory.dmp

Filesize
464KB

Download
memory/3212-312-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3452-409-0x0000000005F10000-0x0000000006516000-memory.dmp

Filesize
6.0MB

Download
memory/3452-355-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/3904-256-0x00000000014E0000-0x00000000014F5000-memory.dmp

Filesize
84KB

Download
memory/3904-240-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/3904-274-0x0000000001500000-0x0000000001502000-memory.dmp

Filesize
8KB

Download
memory/3932-232-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3944-278-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4084-144-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4084-137-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4084-133-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4084-135-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4084-132-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4084-139-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4084-134-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4296-334-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4336-376-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

Filesize
4KB

Download
memory/4368-323-0x00000000001D0000-0x00000000001FF000-memory.dmp

Filesize
188KB

Download
memory/4368-344-0x0000000000400000-0x0000000002B53000-memory.dmp

Filesize
39.3MB

Download
memory/4436-201-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4440-405-0x0000000004C90000-0x0000000005296000-memory.dmp

Filesize
6.0MB

Download
memory/4444-281-0x00000000014E0000-0x00000000014E1000-memory.dmp

Filesize
4KB

Download
memory/4444-302-0x0000000005470000-0x0000000005471000-memory.dmp

Filesize
4KB

Download
memory/4444-289-0x000000000AE60000-0x000000000AE61000-memory.dmp

Filesize
4KB

Download
memory/4444-285-0x00000000014F0000-0x00000000014FC000-memory.dmp

Filesize
48KB

Download
memory/4444-292-0x000000000AA40000-0x000000000AA41000-memory.dmp

Filesize
4KB

Download
memory/4444-270-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/4548-222-0x000000001B9B0000-0x000000001B9B1000-memory.dmp

Filesize
4KB

Download
memory/4548-196-0x000000001B500000-0x000000001B501000-memory.dmp

Filesize
4KB

Download
memory/4548-195-0x0000000000980000-0x0000000000995000-memory.dmp

Filesize
84KB

Download
memory/4548-183-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/4548-202-0x000000001B0E0000-0x000000001B0E2000-memory.dmp

Filesize
8KB

Download
memory/4624-349-0x0000000000400000-0x0000000002BB2000-memory.dmp

Filesize
39.7MB

Download
memory/4624-322-0x00000000048E0000-0x00000000049B1000-memory.dmp

Filesize
836KB

Download
memory/4684-216-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/4728-544-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/4860-358-0x0000000000EE0000-0x0000000000F3F000-memory.dmp

Filesize
380KB

Download
memory/4860-351-0x0000000004368000-0x0000000004469000-memory.dmp

Filesize
1.0MB

Download
memory/5008-428-0x0000000002F30000-0x0000000002F31000-memory.dmp

Filesize
4KB

Download
memory/5044-306-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/5044-310-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/5080-382-0x000001E7BB280000-0x000001E7BB2CD000-memory.dmp

Filesize
308KB

Download
memory/5080-347-0x000001E7BB340000-0x000001E7BB3B4000-memory.dmp

Filesize
464KB

Download
memory/5136-370-0x000002A788270000-0x000002A7882E4000-memory.dmp

Filesize
464KB

Download
memory/5272-454-0x0000000004F50000-0x0000000005556000-memory.dmp

Filesize
6.0MB

Download
memory/5432-469-0x0000000002FB0000-0x0000000002FB2000-memory.dmp

Filesize
8KB

Download
memory/5528-461-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/5680-564-0x00000000050D0000-0x00000000059EE000-memory.dmp

Filesize
9.1MB

Download
memory/5912-547-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/6020-504-0x0000000004F80000-0x0000000005586000-memory.dmp

Filesize
6.0MB

Download